Introduction

In the current technology age, the implementation of information technology or systems has

become inevitable for the smooth running and operations of a firm. The digital transformation

has made it easier to conduct business and reach customers far and near across the globe.

However, the implementation of information technology comes with its drawbacks which is the

attacks and threat that digital business poses to company resources (Such et al, 2016).

Organizations network and systems are faced with numerous threats. However, it is the

responsibility of the organization to ensure there is a regular risk assessment to determine how

safe a company network is and detect early any vulnerability in the system. This paper examined

the risk assessment of SNHU.

Analysis of the Environment

SNHU is an educational institution that has systems that manage student and employees’ records

and as such has a security policy and systems to ensure data of students and employees are

protected. SNHU has an IT security department that manages the security of data within the

university. SNHU has a good network and data security system in place supported by data

security policies and procedures. In analyzing the environment, it is important to examine the

security protocol and policies in SNHU

Protocol and Policies

Security protocol and policies at SNHU can be accessed based on the information technology

aspect, data center aspect, and safety aspect.

Information Technology

Information is properly managed at SNHU. All information collected about stakeholders are

stored in the university data center and regularly monitored by the IT department. The IT

department maintains strict compliance to information security policy in the university by

ensuring data are regularly backed up, there are permission and authorization to certain

information and information change must be approved by the IT department before it takes to

effect. All data usage by the users both employees and students are managed and authorized by

the IT department

Data Center

In the data center, all data about the university is stored. The data center of the university is

secured with restricted access to the public or stakeholders. The data center in the university is

protected under sound information security policy which makes it difficult for any intruder to

gain access to the data center. The data center is protected both digitally and physically. Aside

from data protection, university data are also remotely cloud-based backed up to ensure business

continuity in the event of data loss or disaster.

Safety:

In terms of physical safety, the university has strict policies regarding the entry and exit of the

university and data storage areas. This is to ensure the physical security of data within the

university. Only authorized individuals are given access to the university data center. Every

activity regarding data change or data facility arrangement must be authorized by the university
according to the information technology policy. Data change in every department must be carried

out according to information technology

In the opinion of Lee et al (2018), a threat to the database can be due to physical damage or

digital loss. Data can be lost through a disaster at the data center such as fire, flood, or another

disaster, and data can be lost through digital means such as hacking or gaining unauthorized

access to corporate network or database. Irrespective of the form of threat to data, it is important

to have security mechanisms in place that prevent both physical to the data center and electronic

access to organization data (Cilliers, 2017).

Threat Environment

Every organization that stores data face a threat of data security. However, in the case of SNHU,

the university has put in place some data security mechanisms to overcome any threat to its data

security. The threat environment of the university can be divided into electronic threats and

physical threats.

Electronic Threat Environment

The electronic threat environment comprises of the threat to information assurance of the

university. This involves digital such as system failure and malicious human interference. There

are also some vulnerabilities in the digital environment of the university such as security system

configuration and IT security system audit. A system failure is a threat to university information

assurance. System failure will lead to a halt in service unavailability. Students, employees, and

other stakeholders would not be able to access resources or communicate with the university

system. Aside from the system failure, another threat is malicious human interference (Utomo et
al, 2017). This involves intruders gaining access to the university system or network. this could

lead to the loss of important information by the university. The vulnerabilities determined in the

university digital environment which is security system configuration and IT security system

audit. System configuration is vulnerabilities when the firewall is not properly configured and

the system is vulnerable to attacks. System audit vulnerability involves a lack of periodic IT

security audits to determine the vulnerability in the university system and network.

Physical Threat Environment

Physical threats to the university information assurance include unauthorized access to the

physical data center of the university and physical damage to information resources of the

university such as flooding. Unauthorized physical access to the data center is a threat to

university information assurance. This is because an intruder that gains access to the data center

could have access to physical data or files stored in the data center. A natural disaster such as

flooding as a threat to the university information assurance involves flood affecting data

hardware resources (Paul et al, 2019). This will lead to data outage when hardware such as the

server and other components are affected by floods. Some physical vulnerabilities could affect

information assurance in the university. This includes a lack of proper air conditioning and the

location of the server room. When the air conditioning system in the data center is old is poses a

lot of vulnerability to data hardware and information assurance of the university. Besides, the

location of the server room is also an important vulnerability, when the server room is placed in

the ground floor, it is susceptible to flooding (Torabi, Giahi & Sahebjamnia, 2016).

Best Approaches:
Based on the evaluation of the threat environment of SNHU, some approaches are recommended

for consideration to ensure information is always available.

Digital Threats

 Concerning the digital threats examined, the organization needs to ensure data hardware

and software are checked and maintained periodically. This prevents any form of system

failure from occurring. Besides, data must be backed up periodically to prevent data loss

in the event of system failure.

 To prevent malicious human interference, it is important to regularly update the

information security policy of SNHU. Regular scanning of the system for vulnerability

and installation of security software that prevents unauthorized access to data.

 To prevent system configuration vulnerability at SNHU, security systems such as

firewalls must be properly configured and always active.

 To prevent vulnerability that may arise from an IT security audit. IT security audits must

be conducted regularly. This is important to access the current status and level of data

security in SNHU.

Physical threat

 The best approach to address physical threat at SNHU is to ensure maximum physical

security at every entrance of the university and the entrance to the data center. This is

necessary to ensure only authorized individuals gain access to the university data center.

It is also advised to limit access to the data center by making an entrance to the center on

special occasions aside from regular IT staff.

  To address the physical threat of flooding, server centers must be located on a minimum

of the third floor in the IT departments. This will ensure the flood does not get to where

data hardware is kept. Besides, to prevent physical damage to data hardware, physical

security must be put in place.

Risk Matrix

Threat Vulnerability Asset Impact Likelihood Risk

System Old Air Servers Service Temperature Up to
Failure Conditioning unavailable 40 C $100,000 loss
Malacious Firewall Website Website No DDOS Medium
human properly unavailable experienced
interference configured in past
Natural Server room Server All service No flood Low
Disaster on third floor unavailable experienced
in history
Physical Proper IT Files Loss of Medium Low
human system critical data
damage Configuration but restored
from backup

Key

LOW High Medium Critical

References

Cilliers, L. (2017, May). Exploring information assurance to support electronic health record

systems. In 2017 IST-Africa Week Conference (IST-Africa) (pp. 1-8). IEEE.

Lee, S., Cho, H., Kim, N., Kim, B., & Park, J. (2018, January). Managing cyber threat

intelligence in a graph database: Methods of analyzing intrusion sets, threat actors, and
 campaigns. In 2018 International Conference on Platform Technology and Service

(PlatCon) (pp. 1-6). IEEE.

Paul, P., Bhuimali, A., Aithal, P. S., & Rajesh, R. (2019). Vulnerability in Information

Technology and Computing—A Study in Technological Information

Assurance. International Journal of Management, Technology, and Social Sciences

(IJMTS), 4(2), 87-94.

Such, J. M., Gouglidis, A., Knowles, W., Misra, G., & Rashid, A. (2016). Information assurance

techniques: Perceived cost effectiveness. Computers & Security, 60, 117-133.

Torabi, S. A., Giahi, R., & Sahebjamnia, N. (2016). An enhanced risk assessment framework for

business continuity management systems. Safety science, 89, 201-218.

Utomo, R. G., Walters, R. J., & Wills, G. B. (2017, December). Factors affecting the

implementation of information assurance for eGovernment in Indonesia. In 2017 12th

International Conference for Internet Technology and Secured Transactions

(ICITST) (pp. 225-230). IEEE.