FACULTY OF APPLIED SCIENCE AND TECHNOLOGY

DEPARTMENT OF COMPUTER SCIENCE AND INFORMATION

SYSTEMS

STUDENT NAME: Mukayenga Sin’athine

REG NUMBER: M2142Z

LEVEL: 4.1

PROGRAMME: Information Systems

MODULE: Information Systems Security Audit

STUDENT EMAIL: [email protected]

STUDENT CELL: 0785020036

LECTURER: Mr Ranganai

DUE DATE: 27 March 2024

1. Risk Assessment and Management (20 marks)

 Conduct a risk assessment for a fictional organization, identifying and prioritizing
potential security risks. Provide a comprehensive report outlining the identified risks
and proposed mitigation strategies. (15 marks)

Risk assessment is, the process for assessing security risks varies depending on the needs of
an organization. It relies on the type of business operation, assessment scope, and user
requirements. Tech Link Zimbabwe offers a range of information technology services,
Including software development, data analytics, and information technology. It is medium
company around 30 to 90 employees. Its mission is to empower Zimbabwean businesses and
organizations to succeed through innovative technology solutions. More so its values are
customer centricity, innovation, collaboration and integrity. It can be conducted with the
following steps.

Introduction: This is the initial section of the report that sets the stage for the risk
assessment. It provides an overview of the purpose of the assessment, the organization being
assessed, and may briefly touch on the methodology used for identification.

Identification: Identifying your organization needs and critical assets in terms of technology
infrastructure is crucial for establishing a strong security direction. This initial step helps you
understand what you need to protect and guides your security strategy.

Vulnerability Assessment: we evaluated the like hood and potential impact of each threat.

Risk Prioritization: we prioritized risks based on their likelihood and potential impact.

The identified risks include

cyber Attack
These are threats which are unauthorized access to Sensitive data and systems. Hence this is
prone to Vulnerability. The outdated software, weak passwords and inadequate security
measures. These Vulnerabilities have impact to the Data breach, reputational damage and
financial loss. For example, an attacker gains unauthorized access to Tech Link Zimbabwe’s
database, stealing sensitive client information. The audit consideration Review access
controls, passwords policies, and intrusion detection systems to ensure they are robust and
up-to- data. A proposed system mitigation strategies are implementation of robust security
measures (firewalls, intrusion detection) and conduct regular software updates and
vulnerability assessments.
Data Breach
These are unauthorized access, disclosure or loss of sensitive information including personal
data, financial information. For example, unauthorized access to customer databases, theft of
laptops or devices containing sensitive data, and sharing of confidential data. For example, an
employee accidentally leaves, a laptop containing client data in a public place and it’s stolen.
This can lead to reputational damage and legal liabilities. Moreover, the mitigation strategy to
be conducted is to conduct regular security audits and risk assessments. In addition,
implement data loss prevention tools

Human Error
Un intentional actions or mistakes made by individuals that can compromise the security,
integrity or availability of information systems or data. For example, accidental deletion of
data, misconfigured systems, and weak passwords. This can have led to a negative impact
which is Data loss, system downtime and financial loss Furthermore, to have a solution in
this is to provide regular training and awareness programs for employees. In addition,
develop and enforce strict procedures and guidelines.

Natural disaster
A natural event such as a flood, fire earthquake that can damage or destroy information
systems, data or infrastructure. For example, Server rooms flooded, data centres destroyed in
a fire in a fire and due to earthquake damage. This is prone to vulnerability which are
inadequate backup systems, insufficient disaster recovery planning. Hence there are negative
impacts which are business disruption, data loss and financial loss. A proposed mitigation
strategy is developing a comprehensive disaster recovery plan and implement redundant
systems and backup infrastructure.

Reputation Damage
This harm to an organization’s reputation, trust and credibility due to actual or perceived
security incidents. For example, negative media backlash loss of customer trust and damage
to brand reputation. To eliminate these crisis, develop a crisis management plan and
communication strategy and establish a social media monitoring and response.

b) Discuss the importance of risk management in information systems security and

explain the steps involved in the risk management process. (5 marks)
Information systems security is a critical concern for organisation, as the threat land scape
continues to evolve and grow. Risk management is an essential component of information
systems security, as it enables organisations to identify, assess and mitigate potential risks to
their information assets. Effective risk management helps in organizations through the
protection of the sensitive data and systems from cyber threats and attacks. More so, it
ensures compliance with regulatory requirements and industry standards. In addition, it
minimizes financial losses and reputational damage and it improves incident response and
disaster recovery capabilities. Furthermore, it optimizes security investments and resource
allocation.
The risk management process involves the following steps
Risk Assessment
Once risks have been identified, they must be assed to determine their likelihood and impact.
This involves evaluating the probability of a risk occurring and potential damage it could
cause.
Risk Prioritization
After risks have been assessed, they must be prioritized based on their likelihood and impact.
This ensures that most critical risks are addressed first.
Risk Mitigation
Risk mitigation involves implementing controls and countermeasures to reduce the likelihood
or impact of identified risks. This may include security measures such as firewalls, intrusion
detection systems, and encryption.
Risk monitoring
Risk monitoring involves continuously monitoring and reviewing the risk landscape to
identify new risks and asses the effectiveness of mitigation measures.

Risk review and update

This regularly review and update the risk management plan, to ensure it remains relevant and
effective.

b. Discuss the importance of risk management in information systems

security and explain the steps involved in the risk management process. (5
marks)
Risk management is a vital component of information systems security, as it enables
organisations to identify, assess, and mitigate potential risks. Effective risk management
involves the following steps:
1.Risk assessment
Identify and analyze potential risks, evaluating their likelihood and impact.
2.Risk mitigation
Implement measures to reduce identified risks, such as encryption or additional firewalls.
3.Risk acceptance
Acknowledge and accept certain risks, focusing on the most critical ones.
Risk management is crucial for organisations to safeguard their data, networks and systems.
It helps identify vulnerabilities, determine the degree of risk and develop proactive strategies
for managing risks and their consequences.