Professional Documents
Culture Documents
IT RISK
Project By
FAS L1
Ankita Bajpai – 19F208
Arjun Mallya – 19F211
Krishna Sharma – 19F222
Sneha Pradhan – 19F255
Shubham Joshi – 19F254
1
FAS L1
Table of Contents
What is Risk? 3
IT Risk 3
Types of IT Risk 3
Security Threats 5
Risk Management 7
Risk Management Frameworks 8
ISO/IEC 27001 Information Security Management (ISMS) 8
General Data Protection Regulation (GDPR)9
BCM (Business Continuity Management) 10
COBIT 10
YAHOO! 11
Data Breaches 11
Data breaches in 2010 11
Impact on shares after the breach 12
Other costs incurred by Yahoo 13
Some other major effects 14
Mitigation measures taken 15
Conclusions drawn from the case 16
Pinnacle Media 17
Hierarchy 17
Operations 18
Risk Analysis using Probability Impact Matrix 19
References 21
2
FAS L1
What is Risk?
Risk refers to the probability of occurrence of any negative incident, such as injury, loss,
damage, etc. Risks may be caused due to internal vulnerabilities existing in a process or an
activity. These risks can be prevented. Risks are also caused by external factors, which are
uncontrollable.
For an organisation, risks can occur at all levels – strategic, operational, and project level.
IT Risk
IT risk involves any threat to a firm’s data and its critical systems, that impacts its business
processes, when IT is adopted within an organisation. They can damage business value.
Types of IT Risk
Architecture Risk
Flaws in the architectural design of, say a platform built to perform key activities of a
project.
Risks associated with all software and hardware elements used in a business
Audit Risk
Risk associated with missing crucial security vulnerabilities. Example - Legacy risk: A
technology associated risk wherein the technology used is out-of-date to a point where it
causes operational inefficiency.
Availability
Benefit Shortfall
3
FAS L1
Budget Risk
Capacity
Change Control
Compliance Violations
Contract Risk
This is a legal risk wherein the customers fail to meet the contractual obligations. Example –
IT vendor who violates terms by delivering a project that fails.
Data Loss
Vendor Issues – Primarily with firms offering PaaS. Example: expiration of a cloud
storage subscription causes data to become inaccessible.
Poor data quality that can lead to operational inefficiency, late deliveries, poor customer
satisfaction, etc.
Infrastructure Risk
4
FAS L1
Facility related failures which cause disruption in the business. Example: basic services,
organizational structures, data bases, etc.
Innovation Risk
Risks associated with the fast-changing environment and methods of mitigating the same.
Integration Risk
Progress Trap
This is a risk of implementing new technology, as the damages are unknown and are
recognised late. Thus, precautionary principle helps to estimate and recognise any such
threats.
Process Risk
These are probability of disruptions in processes, e.g., infrastructure risk, IT risk, human
error, workplace safety, mechanical failure and process quality.
Resource Risk
Security Threats
Threat of a large system being disrupted due to the failure of a small component.
Security Vulnerabilities
Strategy Risk
Technical Debt
5
FAS L1
Additional rework costs that may be incurred if cheaper alternatives are chosen instead of
better software development approaches.
Risks caused by human error or IT systems error that caused disruptions in the processing of
transactions.
Vendor Risk
6
FAS L1
Risk Management
Since it is important for companies to take risks in order to get capital gains, it is equally
important for them to have an effective Risk Management Framework (RMF). A well-
planned RMF will enable organisations to withstand market uncertainties, have lower
borrowing costs and improve their performance in the long run.
1. Risk identification
2. Risk measurement and assessment
3. Risk mitigation
4. Risk reporting and monitoring
5. Risk governance
Identify
Review/
Monitor Assess
Risk
Mitigate/
Contingency
Manage
Response
7
FAS L1
Security policy
Organisational and staff security
Asset classification and control
Physical and environmental security
Communications and operations management
Access control
System development and maintenance
Business continuity management
Compliance
8
FAS L1
GDPR came into effect on 25 May 2018. It provides natural persons protection from how
organisations process and use their personal data. All EU member states have to follow
these regulations.
9
FAS L1
Primary Controls –
Disaster Recovery
Business Recovery
Contingency Planning
Emergency Management
Incident Management
COBIT
Sp
vern
o
G lyFIw
skh
tcfti
aMgmb
A
H d
N EiC
-
10
FAS L1
YAHOO!
Data Breaches
Yahoo!, now Altaba, is an American web service provider company. Founded in 1994, it is
currently owned by Verizon Media Company and is headquartered in Sunnyvale, California.
Its most famous products are yahoo mail and yahoo news. Yahoo news, with a reader base
of 6 billion, was the most read portal in 2016. By 2011, Yahoo mail had 261 million users
making it the third largest email provider. It has 18-20 more web services with millions of
users across the globe.
In December of 2013, Yahoo’s security team gained information that Russian Hackers have
gained access to their users PII (Personally Identifiable Information)- the usernames,
address, email id, phone numbers, passwords and security questions of at least 500 million
accounts. Yahoos Chief Information Security Officer sent mails to the senior management
stating that they are under attack and a lot of data has been breached.
In 2014, the security team of Yahoo found out that 1 billion accounts, not 500 million as
though of earlier, were affected by the hack. The hackers were able to access Yahoos User
database and account management tool by spear-phishing Yahoo employees who had
access to these servers.
Thereafter, the same hackers continued to attack Yahoos database throughout 2015 and
2016 and the senior management did not take any action.
In 2016, during the due diligence of the Yahoo-Verizon deal, it came into light that the data
breaches could have impacted 1.5 billion account. On further probing, it was found out that
all 3 billion accounts were affected over the 2 years of the hacking. It was found out that
hackers also forged cookies that allowed them to access accounts without passwords.
11
FAS L1
Types of IT Risks
Physical threats:
State-sponsored hackers were able to gain access to the protected servers of the company
and were able to extract “personal” information of all the accounts that were available with
Yahoo.
Electronic threats:
The hackers were able to create cookies based on the user data and were able to access
accounts without username and password.
Hackers were able to use the data hacked from the servers (like names, DOB and security
questions) to gain access to other non-Yahoo websites.
Human Error
Even after various information by the IT security teams of Yahoo to the senior management,
no action was taken to prevent such attacks.
Employees were not educated enough to identify phishing attacks and therefore became a
point of entrance for the hackers.
Accountability
Foreign Agent:
In a security hearing at the US Senate in Washington D.C., the former Yahoo CEO Marrisa
Mayer recognized that they were hit by a state-sponsored attack by Russia and impacted all
of the 3 billion accounts that were active with Yahoo.
12
FAS L1
Senior Management:
Even after the preliminary email stating the hack to senior management by CISO, followed
by many mails in 2015 and 16 stating the progress and severity of the hack. The senior
management failed to react to the hacks, instead, they decided to down play the hacks as a
minor incident of cyberattack. The actual scale of the hack was found out during the due
diligence process of Yahoo-Verizon deal.
Employees:
Yahoo employees were not educated enough to recognize cyberattacks and therefore, were
became a target of the phishing attacks by the hackers. The employees who were
responsible to handle Yahoo’s database and account management systems were specifically
targeted by the hackers.
Financial Implication:
Yahoo, which is now known as Altaba in 2018 became the first public company to be fined
($35 million) by the Securities and Exchange Commission for filing statements that failed to
disclose known data breaches. This is on top of the $80 million federal securities class action
settlement that Yahoo reached in March 2018—the first of its kind based on a cyberattack.
Shareholder derivative actions remain pending in state courts, and consumer data breach
class actions have survived initial motions to dismiss and remain consolidated in California
for pre-trial proceedings. At the other end of the spectrum, a federal judge has balked at the
U.S. Department of Justice's (DOJ) request that a hacker-for-hire indicted in the Yahoo
attacks be sentenced to eight years in prison for a digital crime spree that dates to 2010.
Yahoo’s share fell by 5% as soon as the technology company revealed a second massive data
breach and was in fear that this might kill the deal with Verizon, which they have signed to
buy its core Internet business.
13
FAS L1
Yahoo was asked to pay $85 million as part of settlement charges for the damages induced
and provide free credit monitoring services for over 200 million impacted customers. Also,
on learning about the breach disclosure, Verizon termed it as “material adverse event”,
which cost Yahoo $350 million reductions in the acquisition cost.
Costs Loss
attorneys’ fees $35 million
towards their cyber incidents $16 million
forensic investigation and remediation $5 million
activities
legal costs $11 million
14
FAS L1
1. Financial reports of Yahoo! Inc. shows that it lost $1.23 billion in its second quarter
of the 2014 financial year.
2. Most affected users quit the company, and this led to a drop in the number of
accounts.
3. Advertisers also reduced and the company runs into a loss as its profits dropped and
its operating costs increased especially given the fact that maintenance costs to curb
the attack were included.
4. This resulted in company laying off 15% of its workforce in the year 2015, to reduce
costs and stabilize the profit margin.
1. Operational Risk Mitigation: To mitigate future attacks the company changed its
processes. It first, doubled the size of its internal security staff and input $260 million
security initiatives.
2. Architecture Risk Mitigation: It also included a feature that enabled the users to have
the ability to know who has logged into their account remotely and they are able to
log them out, along with being granted access to a password authentication via a
third party.
3. Security Risk Mitigation: The company also installed numerous firewalls to prevent
any form of hacking and at the same time enable its users to manage their accounts
offline.
4. Technological risk Mitigation: The company came up with the antivirus software,
which they send to their users via their account. After installation, the software will
act to prevent phishing incident and hence will prevent hackers to get into any
private data of account.
All these changes in processes have so far helped in curbing identity theft cyber-crime in
Yahoo! Inc. since 2014 to date
15
FAS L1
It has now become prominent that cybersecurity breaches have risen alarmingly in history
with identified theft hitting major big companies like the case of Yahoo. It is therefore the
high time that a company (small or large) should invest a lot ensuring their system are
malware proof and installed with latest and updated anti-virus software which can detect
any kind of breach at a very fast rate.
Preventive measures:
1. Restricting employees to view only the data which they are authorised for. The
hacker in 2014 Yahoo breach, got access to database through phishing campaign. If
only few dedicated employees were given access to database, then this loss could
have been not that big.
2. Ensure that the employees and users follow a standard password policy : The
employee should mandate to change their password frequently with some
predefined standards. This will help prevent the hackers that have accessed system
before from returning with the same credentials.
3. Training must be given to employees on such attacks: training the employee on
danger of phishing emails and different ways hacks could help companies prepared
internally.
4. Deploying the firewalls and security software, such as anti-spyware and antivirus
programs, can prevent and remove the malicious code from the software. The
employees should be asked for frequent update of the system to protect themselves
from known bugs and vulnerabilities.
5. Monitor the suspected activities or cookies: Use the resources to detect the login
activity through the cookies and restrict the access for this kind of users in the
future.
6. Outsourcing IT security to professional security firms: Give the IT security system to
the industry professional security companies and follow best practices.
Detective Measures:
16
FAS L1
advance for the future. This can prevent intruders from gaining information through
viruses or malware attacks.
2. Technologies for detecting security breach: Using of extra measures like CAPTCHA,
reCAPTCHA will help prevent machines and robots to gain access to secured IT
system.
Pinnacle Media
We have taken Pinnacle Media, a private company which provides tech solutions in the
verticals – digital image processing, software development, app development and animation
for print and media.
Hierarchy
17
FAS L1
MD
GM
Operations
The company lays high importance on data privacy, cyber security and regulations (in the
legal front). 90% of their business comes from overseas. Therefore, complying with the
norms and terms of agreement with their offshore clientele is of utmost importance and has
direct implications on their operations. Protecting client data & internal process data from
both external as well as internal agents is necessary for their business.
On the infrastructure front, they have tied up with IT infrastructure provider – NETGEAR for
services. They make use of NAS systems (of capacity 165TB) to manage their system data. A
24-hour back up system operates, capturing data back up in an image format.
Their company policies require them to store the client data for up to 3 months in their
databases. Although their NAS system is capable of linking cloud services, Pinnacle Media
has opted not to subscribe to these services.
18
FAS L1
Internal stakeholders have limited access to company data. Usage of mobile phones and
flash/pen drives and other portable data storage options are not restricted in the company.
Only the top management is allowed to make use of these devices.
19
FAS L1
LEGAL &
IMPAC FINANCI CLIEN REPUTATION PROBABILI
RISK Description REGULATO PxI
T AL T AL TY
RY
Flaw in
Architectur 0.1
Architecture 0.9 High Low Low High 0.2
e Risk 8
Design
Network 0.6
Capacity
Overload Mediu 4
0.8 m Low Medium 0.8
Implementing
Change 0.3
new technology
Control 5
change 0.7 high Low Low 0.5
0.3
Data Loss Recovery data
6
0.9 high Low High 0.4
Training Lack of required 0.5
Gap training 0.8 High Low Medium 0.7 6
20
FAS L1
From the risk analysis above, a few suggestions could be given in order to inculcate better
risk management in the organisation:
LEVE
RISK ACTIONS MITIGATION
L
Availability Reduce If the actual uptime is low, then it may cause the lack of resources
in case of critical situations. Presence of backup systems/ servers
can help in such situations.
Data Loss Avoid To deal with physical, logical and transport related data losses
every employee should have project and role-based access.
Necessary data should be masked.
Constant training and evaluation of the employees about the
Training Gap Avoid organizational functioning and responsibilities in alignment to their
roles/ profiles.
21
FAS L1
References
https://www.nibusinessinfo.co.uk/content/it-risk-assessment-methodology
https://simplicable.com/new/it-risk-management
https://blog.netwrix.com/2018/01/16/how-to-perform-it-risk-assessment/
https://www.pinnaclemedia.in/
https://www.linkedin.com/company/pinnacle-media-solutions
https://www.mohe.gov.om/userupload/Policy/IT%20Risk%20Management
%20Framework.pdf
http://apppm.man.dtu.dk/index.php/Impact_and_Probability_in_Risk_Assessment
22