FAS L1

IT RISK

Project By
FAS L1
Ankita Bajpai – 19F208
Arjun Mallya – 19F211
Krishna Sharma – 19F222
Sneha Pradhan – 19F255
Shubham Joshi – 19F254

Under the guidance of

Prof. Kedareshwaran Subramanian

and
Prof. Gurudutt Nayak

1
FAS L1

Table of Contents

What is Risk? 3
IT Risk 3
Types of IT Risk 3
Security Threats 5
Risk Management 7
Risk Management Frameworks 8
ISO/IEC 27001 Information Security Management (ISMS) 8
General Data Protection Regulation (GDPR)9
BCM (Business Continuity Management) 10
COBIT 10
YAHOO! 11
Data Breaches 11
Data breaches in 2010 11
Impact on shares after the breach 12
Other costs incurred by Yahoo 13
Some other major effects 14
Mitigation measures taken 15
Conclusions drawn from the case 16
Pinnacle Media 17
Hierarchy 17
Operations 18
Risk Analysis using Probability Impact Matrix 19
References 21

2
FAS L1

What is Risk?

Risk refers to the probability of occurrence of any negative incident, such as injury, loss,
damage, etc. Risks may be caused due to internal vulnerabilities existing in a process or an
activity. These risks can be prevented. Risks are also caused by external factors, which are
uncontrollable.

For an organisation, risks can occur at all levels – strategic, operational, and project level.

IT Risk

IT risk involves any threat to a firm’s data and its critical systems, that impacts its business
processes, when IT is adopted within an organisation. They can damage business value.

Types of IT Risk

Architecture Risk

Flaws in the architectural design of, say a platform built to perform key activities of a
project.

Asset Management Risk

Risks associated with all software and hardware elements used in a business

Audit Risk

Risk associated with missing crucial security vulnerabilities. Example - Legacy risk: A
technology associated risk wherein the technology used is out-of-date to a point where it
causes operational inefficiency.

Availability

The actual uptime of a resource as a percentage of its expected uptime.

Benefit Shortfall

IT related investments that do not give back the expected returns.

3
FAS L1

Budget Risk

IT implementations that overshoot the allocated/intended use of budget.

Capacity

Network overload on IT infrastructure that leads to operational inefficiencies.

Change Control

Capturing, evaluating, prioritizing, approving, scheduling and implementing change.

Compliance Violations

Risk of violating regulations or laws.

Contract Risk

This is a legal risk wherein the customers fail to meet the contractual obligations. Example –
IT vendor who violates terms by delivering a project that fails.

Data Loss

Loss of crucial data/information that cannot be recovered.

Physical – Device damage leading to data loss.

Logical – Data deleting leading to loss.

Transport – Network/service outage causing data loss.

Data Corruption – Software/Hardware related loss.

Vendor Issues – Primarily with firms offering PaaS. Example: expiration of a cloud
storage subscription causes data to become inaccessible.

Poor data quality that can lead to operational inefficiency, late deliveries, poor customer
satisfaction, etc.

Infrastructure Risk

4
FAS L1

Facility related failures which cause disruption in the business. Example: basic services,
organizational structures, data bases, etc.

Innovation Risk

Risks associated with the fast-changing environment and methods of mitigating the same.

Integration Risk

The risk potential of integrating departments, processes, information, etc.

Progress Trap

This is a risk of implementing new technology, as the damages are unknown and are
recognised late. Thus, precautionary principle helps to estimate and recognise any such
threats.

Process Risk

These are probability of disruptions in processes, e.g., infrastructure risk, IT risk, human
error, workplace safety, mechanical failure and process quality.

Resource Risk

Threat of goals being unaccomplished due to a lack of resources.

Security Threats

Single Point of Failure

Threat of a large system being disrupted due to the failure of a small component.

Security Vulnerabilities

Refers to threat of malicious behaviour or unauthorised access due to a system flaw or a

flaw in software code.

Strategy Risk

Risk of failure/loss from business decisions or lack of certain decisions.

Technical Debt
5
FAS L1

Additional rework costs that may be incurred if cheaper alternatives are chosen instead of
better software development approaches.

Transaction Processing Risk

Risks caused by human error or IT systems error that caused disruptions in the processing of
transactions.

Vendor Risk

Risks that exist while using a vendor’s products or services.

6
FAS L1

Risk Management

Since it is important for companies to take risks in order to get capital gains, it is equally
important for them to have an effective Risk Management Framework (RMF). A well-
planned RMF will enable organisations to withstand market uncertainties, have lower
borrowing costs and improve their performance in the long run.

The main components of an effective RMF are:

1. Risk identification
2. Risk measurement and assessment
3. Risk mitigation
4. Risk reporting and monitoring
5. Risk governance

Identify

Review/
Monitor Assess

Risk

Mitigate/
Contingency
Manage

Response

7
FAS L1

Risk Mitigation Frameworks

ISO/IEC 27001 Information Security Management (ISMS)

ISO/IEC 27001 is an internationally recognized best practice framework for an information

security management system (ISMS). It helps in risk identification and mitigation based on
the specific business activities. This certification also helps organisations demonstrate, to
stakeholders, their best practices of managing information safely and securely.

These standards ensure that the business follows

 Security policy
 Organisational and staff security
 Asset classification and control
 Physical and environmental security
 Communications and operations management
 Access control
 System development and maintenance
 Business continuity management
 Compliance

8
FAS L1

General Data Protection Regulation (GDPR)

GDPR came into effect on 25 May 2018. It provides natural persons protection from how
organisations process and use their personal data. All EU member states have to follow
these regulations.

GDPR includes the following

 Principles relating to processing of personal data

 Rights of the data subject
 Rights, obligations and code of conduct of data controller and processor
 Transfers of personal data to third countries or international organisations
 Tasks and powers of independent supervisory authorities
 Cooperation and consistency of other authorities/boards involved
 Remedies, liabilities and penalties
 Provisions relating to specific processing situations
 Delegated acts and implementing acts

9
FAS L1

BCM (Business Continuity Management) – Minimizing business disruptions during a crisis.

Primary Controls –

 Disaster Recovery
 Business Recovery
 Contingency Planning
 Emergency Management
 Incident Management

BCM, as defined by ISO 22301, emphasizes the importance of –

 Implementing and operating controls and measures for managing an organization’s

overall continuity risks
 Monitoring and reviewing the performance and effectiveness of the business
continuity management system
 Continual improvement based on objective measurements

COBIT
Sp
vern
o
G lyFIw
skh
tcfti
aMgmb
A
H d
N EiC
-

10
FAS L1

YAHOO!
Data Breaches

Yahoo!, now Altaba, is an American web service provider company. Founded in 1994, it is
currently owned by Verizon Media Company and is headquartered in Sunnyvale, California.
Its most famous products are yahoo mail and yahoo news. Yahoo news, with a reader base
of 6 billion, was the most read portal in 2016. By 2011, Yahoo mail had 261 million users
making it the third largest email provider. It has 18-20 more web services with millions of
users across the globe.

Data Breaches in 2010’s:

In December of 2013, Yahoo’s security team gained information that Russian Hackers have
gained access to their users PII (Personally Identifiable Information)- the usernames,
address, email id, phone numbers, passwords and security questions of at least 500 million
accounts. Yahoos Chief Information Security Officer sent mails to the senior management
stating that they are under attack and a lot of data has been breached.

In 2014, the security team of Yahoo found out that 1 billion accounts, not 500 million as
though of earlier, were affected by the hack. The hackers were able to access Yahoos User
database and account management tool by spear-phishing Yahoo employees who had
access to these servers.

Thereafter, the same hackers continued to attack Yahoos database throughout 2015 and
2016 and the senior management did not take any action.

In 2016, during the due diligence of the Yahoo-Verizon deal, it came into light that the data
breaches could have impacted 1.5 billion account. On further probing, it was found out that
all 3 billion accounts were affected over the 2 years of the hacking. It was found out that
hackers also forged cookies that allowed them to access accounts without passwords.

11
FAS L1

Types of IT Risks

Physical threats:

State-sponsored hackers were able to gain access to the protected servers of the company
and were able to extract “personal” information of all the accounts that were available with
Yahoo.

These data’s can be used to perform Identity theft by the hackers.

Electronic threats:

The hackers were able to create cookies based on the user data and were able to access
accounts without username and password.

Hackers were able to use the data hacked from the servers (like names, DOB and security
questions) to gain access to other non-Yahoo websites.

Human Error

Even after various information by the IT security teams of Yahoo to the senior management,
no action was taken to prevent such attacks.

Employees were not educated enough to identify phishing attacks and therefore became a
point of entrance for the hackers.

Accountability

Foreign Agent:

In a security hearing at the US Senate in Washington D.C., the former Yahoo CEO Marrisa
Mayer recognized that they were hit by a state-sponsored attack by Russia and impacted all
of the 3 billion accounts that were active with Yahoo.

12
FAS L1

Senior Management:

Even after the preliminary email stating the hack to senior management by CISO, followed
by many mails in 2015 and 16 stating the progress and severity of the hack. The senior
management failed to react to the hacks, instead, they decided to down play the hacks as a
minor incident of cyberattack. The actual scale of the hack was found out during the due
diligence process of Yahoo-Verizon deal.

Employees:

Yahoo employees were not educated enough to recognize cyberattacks and therefore, were
became a target of the phishing attacks by the hackers. The employees who were
responsible to handle Yahoo’s database and account management systems were specifically
targeted by the hackers.

Financial Implication:

Yahoo, which is now known as Altaba in 2018 became the first public company to be fined
($35 million) by the Securities and Exchange Commission for filing statements that failed to
disclose known data breaches. This is on top of the $80 million federal securities class action
settlement that Yahoo reached in March 2018—the first of its kind based on a cyberattack.
Shareholder derivative actions remain pending in state courts, and consumer data breach
class actions have survived initial motions to dismiss and remain consolidated in California
for pre-trial proceedings. At the other end of the spectrum, a federal judge has balked at the
U.S. Department of Justice's (DOJ) request that a hacker-for-hire indicted in the Yahoo
attacks be sentenced to eight years in prison for a digital crime spree that dates to 2010.

Impact on shares after the breach

Yahoo’s share fell by 5% as soon as the technology company revealed a second massive data
breach and was in fear that this might kill the deal with Verizon, which they have signed to
buy its core Internet business.

They have lost $1.3 billion market capitalization.

13
FAS L1

Figure: Income statement YoY

Yahoo was asked to pay $85 million as part of settlement charges for the damages induced
and provide free credit monitoring services for over 200 million impacted customers. Also,
on learning about the breach disclosure, Verizon termed it as “material adverse event”,
which cost Yahoo $350 million reductions in the acquisition cost.

Other costs incurred by Yahoo were:

Costs Loss
attorneys’ fees $35 million
towards their cyber incidents $16 million
forensic investigation and remediation $5 million
activities
legal costs $11 million

Some other major effects:

14
FAS L1

1. Financial reports of Yahoo! Inc. shows that it lost $1.23 billion in its second quarter
of the 2014 financial year.
2. Most affected users quit the company, and this led to a drop in the number of
accounts.
3. Advertisers also reduced and the company runs into a loss as its profits dropped and
its operating costs increased especially given the fact that maintenance costs to curb
the attack were included.
4. This resulted in company laying off 15% of its workforce in the year 2015, to reduce
costs and stabilize the profit margin.

Mitigation measures taken:

1. Operational Risk Mitigation: To mitigate future attacks the company changed its
processes. It first, doubled the size of its internal security staff and input $260 million
security initiatives.
2. Architecture Risk Mitigation: It also included a feature that enabled the users to have
the ability to know who has logged into their account remotely and they are able to
log them out, along with being granted access to a password authentication via a
third party.
3. Security Risk Mitigation: The company also installed numerous firewalls to prevent
any form of hacking and at the same time enable its users to manage their accounts
offline.
4. Technological risk Mitigation: The company came up with the antivirus software,
which they send to their users via their account. After installation, the software will
act to prevent phishing incident and hence will prevent hackers to get into any
private data of account.

All these changes in processes have so far helped in curbing identity theft cyber-crime in
Yahoo! Inc. since 2014 to date

Conclusion drawn from the case:

15
FAS L1

It has now become prominent that cybersecurity breaches have risen alarmingly in history
with identified theft hitting major big companies like the case of Yahoo. It is therefore the
high time that a company (small or large) should invest a lot ensuring their system are
malware proof and installed with latest and updated anti-virus software which can detect
any kind of breach at a very fast rate.

Preventive measures:

1. Restricting employees to view only the data which they are authorised for. The
hacker in 2014 Yahoo breach, got access to database through phishing campaign. If
only few dedicated employees were given access to database, then this loss could
have been not that big.
2. Ensure that the employees and users follow a standard password policy : The
employee should mandate to change their password frequently with some
predefined standards. This will help prevent the hackers that have accessed system
before from returning with the same credentials.
3. Training must be given to employees on such attacks: training the employee on
danger of phishing emails and different ways hacks could help companies prepared
internally.
4. Deploying the firewalls and security software, such as anti-spyware and antivirus
programs, can prevent and remove the malicious code from the software. The
employees should be asked for frequent update of the system to protect themselves
from known bugs and vulnerabilities.
5. Monitor the suspected activities or cookies: Use the resources to detect the login
activity through the cookies and restrict the access for this kind of users in the
future.
6. Outsourcing IT security to professional security firms: Give the IT security system to
the industry professional security companies and follow best practices.

Detective Measures:

1. Review of Intrusion Detection System: Hiring an outside team or a security company

to monitor the devices for malicious activity. Review any policy violation and other
prohibited usage can help to prevent and diagnose the risks and threats well in

16
FAS L1

advance for the future. This can prevent intruders from gaining information through
viruses or malware attacks.
2. Technologies for detecting security breach: Using of extra measures like CAPTCHA,
reCAPTCHA will help prevent machines and robots to gain access to secured IT
system.

Pinnacle Media

We have taken Pinnacle Media, a private company which provides tech solutions in the
verticals – digital image processing, software development, app development and animation
for print and media.

The company has a strength of 65 employees.

Hierarchy

17
FAS L1

MD

GM

Imaging Software Admin

Shift Shift Shift

HR
Supervisor 1 Supervisor 2 Supervisor

Developers Developers Developers Accounting

Operations

The company lays high importance on data privacy, cyber security and regulations (in the
legal front). 90% of their business comes from overseas. Therefore, complying with the
norms and terms of agreement with their offshore clientele is of utmost importance and has
direct implications on their operations. Protecting client data & internal process data from
both external as well as internal agents is necessary for their business.

On the infrastructure front, they have tied up with IT infrastructure provider – NETGEAR for
services. They make use of NAS systems (of capacity 165TB) to manage their system data. A
24-hour back up system operates, capturing data back up in an image format.

Their company policies require them to store the client data for up to 3 months in their
databases. Although their NAS system is capable of linking cloud services, Pinnacle Media
has opted not to subscribe to these services.

18
FAS L1

Internal stakeholders have limited access to company data. Usage of mobile phones and
flash/pen drives and other portable data storage options are not restricted in the company.
Only the top management is allowed to make use of these devices.

19
FAS L1

Risk Analysis using Probability Impact Matrix

LEGAL &
IMPAC FINANCI CLIEN REPUTATION PROBABILI
RISK Description REGULATO PxI
T AL T AL TY
RY

Flaw in
Architectur 0.1
Architecture 0.9 High Low Low High 0.2
e Risk 8
Design

Asset Risk with

0.3
Manageme Software/Hardw 0.9 High   Low Medium 0.4
6
nt Risk are elements
Missing security Mediu 0.2
Audit Risk 0.7   High High 0.4
vulnerabilities m 8

Actual time/ 0.4

Availability 0.7 Low   Low Low 0.6
expected time 2

Network 0.6
Capacity
Overload Mediu 4
0.8 m   Low Medium 0.8
Implementing
Change 0.3
new technology
Control 5
change 0.7 high   Low Low 0.5

0.3
Data Loss Recovery data
6
0.9 high   Low High 0.4
Training Lack of required 0.5
Gap training 0.8 High   Low Medium 0.7 6

20
 FAS L1

From the risk analysis above, a few suggestions could be given in order to inculcate better
risk management in the organisation:

LEVE
RISK ACTIONS MITIGATION
L

Designing of proper framework and architectural design in setting

  Reduce up networks or making a product is the most essential part of any
project. Hiring Professional designers and taking utmost care at the
early stages can help mitigate development of such risks and helps
Architecture Risk in smooth functioning.
Maintenance of software and hardware to avoid Failure risks.
  Avoid Keeping track of software versions. Updated Antivirus. Having
Asset Management Cloud Presence to avoid risk due to failure of hardware
Risk infrastructure.
Audit Risk   Transfer
Should follow the required compliances for GDPR, ISO 27001, etc.

Availability   Reduce If the actual uptime is low, then it may cause the lack of resources
in case of critical situations. Presence of backup systems/ servers
can help in such situations.

Reduce/ Network Overload on IT infrastructure can cause operational

Capacity   inefficiencies. Maintaining proper datacentres can help mitigate
Transfer
the risk. Platform as a service can also be implemented by
partnering with other firms.
It can cause loss of man hours and revenue. It can be avoided by
Change Control   Avoid allocating a trained IT management team to deal with unforeseen
circumstances.

Data Loss   Avoid To deal with physical, logical and transport related data losses
every employee should have project and role-based access.
Necessary data should be masked.
Constant training and evaluation of the employees about the
Training Gap   Avoid organizational functioning and responsibilities in alignment to their
roles/ profiles.

21
FAS L1

References

https://www.nibusinessinfo.co.uk/content/it-risk-assessment-methodology

https://simplicable.com/new/it-risk-management

https://blog.netwrix.com/2018/01/16/how-to-perform-it-risk-assessment/

https://www.pinnaclemedia.in/

https://www.linkedin.com/company/pinnacle-media-solutions

https://www.mohe.gov.om/userupload/Policy/IT%20Risk%20Management
%20Framework.pdf

http://apppm.man.dtu.dk/index.php/Impact_and_Probability_in_Risk_Assessment

22