IT Risk Assessment Case Study for Aztek Corporation

Question: Describe about the IT Risk Assessment Case Study for Aztek Corporation? Answer: Executive Summary This report broadly analyses the Information Technology (IT) Risk associated with employees bringing their personal mobile devices at work. This IT Risk would be analyzed, evaluated and measured for the Organization Aztek Corporation, which is one of the prominent business players in the Financial Service Sector of the Australian Continent. The Report primarily evaluates the business model of the Aztek Corporation and the current Information Technology practices deployed by the Company. It also provides a brief discussion on the government and regulatory compliances for the organizations performing in the Australian Financial Service Sector.The current market trend displayed by the several Australian and multinational organizations, of allowing its employees to bring their personal mobile devises like their own laptops, mobile phones, tablets, etc., is imposed to be the latest challenge for the global Information Technology landscape. This aspect and its current popularity are discus sed in details in this report.A review of the impacting factors for application of the discussed trends in the IT landscape with respect to application of the same for the employees of Aztek Corporation has been discussed. The analysis of the Positive and negative impacts in terms of the current IT security posture of Aztek Corporation has been presented in this report with necessary details. A detailed risk assessment of threats, vulnerabilities and consequences derived from the implementation of the above discussed phenomenon of allowing the employees of Aztek Corporation to bring their personal mobile devises like their own laptops, mobile phones, tablets, etc., from an IT control Framework have been presented in details.This report has identified the data security risk as one of the most vulnerable risk for adoption of the desired project in the Aztek Corporation. This report highly recommends safeguarding the organization Aztek Corporation from the confidential business informa tion leaks by adhering to BYOD (Bring your Own Device) programs and policies and thereby including the same in the Employment Agreement terms. The adequate legal backing for the BYOD policy will help mitigate the discussed IT risks for the employer (Aztek Corporation). Finally the report concludes on a positive note of considering the massive cost benefits for Aztek Corporation on implementation of the discussed project option. The benefits desired on implementation would outnumber the challenges, if the discussed recommendations for mitigating the IT risks are being implemented. 1. Introduction Advancement in Information and communications Technology has enabled the modern organizations operating in the twenty first century, with innovative and useful technology tools that has facilitated these organizations in their business functioning. There are several IT applications that have facilitated business efficiency across several business sectors in Australia as well as internationally. If we consider the Australian Financial services sector, the IT application such as ERP (Enterprise Resource planning systems), Digitization technologies, Secure payment gateway applications, Bar-coding technology, data-analysis tools, cloud computing solutions, network integration applications, Dematerialization of Investment options, etc. are the prominent IT applications that have supported the successful journey of this industry (Price Waterhouse Coopers, 2015). The Australian Financial Services sector has evolved as one of the most prominent sectors of the Australian economy over the year s. This sector has successful fought the global financial crises of 2008-2011 and is all geared to face the regulatory and technological challenges of the twenty-first century. Overall the Businesses of the twenty-first century have become competitive and technologically driven, which is also reflected in the several financial services players of the nation (Eddy, 2013). The prominent players of the financial services sector of the Australian region are facing several external environmental challenges like the evolving regulatory landscape pertaining to this sector, increasing demographic and cultural changes, increasing changes in the technological landscape including the development of social media, mobile platforms and core system changes. Responding to each of the above mentioned changes along with embedding a risk management culture has indeed become a tight rope walk for the leading financial services players belonging to the Australian Region.The father of management principl es, Peter Drucker has rightly recommended the management team of the organizations to anticipate future changes and capitalize on each and every opportunity for effective project execution of any of the desired project (Browning, 2012). The report presented would analyze the opportunities and risks for Aztek Corporation, who is one of the leading players of the Financial Service Sector of the country, in implementation of one of the desired Information technology changes in the Organization. 2. Current IT Practices at Aztek Corporation Aztek Corporation is one of the leading Australian Financial Services providers. The Organization was incorporated in the year 1960 with its corporate office operational in the business district of North Sydney. The Company is a leading distributor of life insurance and general insurance policies in Australia, and also provides a range of investment products for the retail and corporate consumers in the Debt and equity category. The Company also offers loan and mortgage products to the retail consumer which alone is evolving as a prominent business segment of the company. The company has currently 20 regional offices around the country with approximately 1000 employees working for the company as of the year 2014. The company is a well respected player in the Australian region and is extremely popular for its high corporate social responsibility levels in the Region.The company has always responded proactively to the constantly developing information technology applications that affec ted the business operations of the company. The company in the year 1999 was one of the firsts to introduced online payment gateways for its customers and thus provided safe and convenient investment platforms for its customers with effective implementation of information technology systems in its organization. The company later in the year 2005 adopted SAP ERP (Enterprise Resource planning) systems that helped the internal functional and administration departments and business segments of the company to be linked with each other on a real time basis. This fostered enhanced efficiency and transparency in the business operations of Aztek Corporation and helped the Organization in better serving is retail and corporate clients. The Aztek Corporation has developed and maintained a website that allows secure login for its registered customers and employees. The employee login time of every IP address (every desktop belonging to every employee), is automatically captured by the systems a nd linked to the attendance database of the organization. The desktops installed have a unique pass code which enables the right set of users to enter in to the right systems. This ensures good amount of intra departmental / intra segment business data protection. To give an example, an employee from the Insurance department may not be able to access the data pertaining to the loan products or derivative products. The registered customers of the company can easy study and compare various online investment options through the website of the corporation and can even place a purchase order for investing in to a particular financial product. The Trade cycle of each of the investment options varies as per the rules and regulations drafted by the Australian Securities and Investment commission. Thus, an existing customer of the Aztek Corporation can transact virtually through a secured payment gateways maintained by the Information and communications technology service department of the O rganisation. The Bank Account and the Dematerialization Account (Storing Dematerialized Investments) have been electronically linked with each other, facilitating convenience for the customers to invest in financial instruments. The user interface of the company website is kept highly simple by the IT supports department to attract more and more retail investors. The Customer relations team at Aztek also provides telephonic support to its prominent client, the conversation records for which are also translated and stored as digital conversations for security purposes. The web pages displaying the available financial products with its real time buy and sell values is also updated per hourly by obtaining the relevant data with the leading trade exchanges. IT supports team of the Organization has indeed functioned as one of the essential components of the Corporation, without which, adaptation to several electronic and digital investment applications was highly impossible for the compa ny. Adapting to the tremendous speeding technology growth and advancement is indispensable for business success of any organization, and is the key to remain competitive in the fierce International competitive world of the twenty-first century. 3. The Concept of BYOD (Bring Your Own Device) at Aztek Corporation Several of the Organizations across many industries and sectors are permitting their employees to use their own laptops, tablets, smart phones and other personal devices to complete their professional activities. These employees access company data and applications from their personal machines and tap in to corporate virtual networks as well using their personal devices (Berry, 2015). This particular concept is popularly known as BYOD in the IT landscape, which stands for Bring your own Device. The implementation of BYOD for Aztek Corporation would call for three critical actions by the IT department of the organization. The first would be selecting a viable software application for managing the extensive devices brought by the employees to their workplace and connecting them to a common network. Second action on part of IT department of Aztek Corporation would be to draft a custom made policy outlining the responsibilities of both the Organization as well as the employees of Aztek f or establishing rules and guidelines with respect to usage personal devices of employees in office networks. Thirdly it should involve a legal agreement signed by employees of Aztek acknowledging their support for BYOD and even acknowledging their understanding of the terms and conditions of the policy. The Aztek Corporation would have to consider the following implications while allowing its employees to bring their own devices at their workplaces: Legal Implications Legislations of the Australian governance such as Freedom of Information Act 1982, Privacy Act 1988 and Archives Act 1983 have to be checked to ensure that BYOD could be established at Aztek Corporation. Aztek being a market player from Financial Services sector would have to comply additional regulations set up by Australian Financial conduct authority for protecting the sensitive key financial information (Bodley-Scott, 2014). Financial Implications The Implementation of BYOD that is allowing the employees to have their personal mobile and laptop devices at Aztek would benefit the organization in financial terms. The Corporation would have reduced hardware cost as the employees would be personally paying for their hardware devices used for official purposes (Orantia, 2013). However the cost of technically supporting the devices and managing the financial implications of data security breaches may be faced by Aztek Corporation. Security Implications The desired changes if implemented in terms of allowing BYOD in Aztek, may also lead to undesirable security implications. The risk of protecting sensitive business data would multiple as the outside devices would connect the internal networks of the organization (McAfee, 2011). The IT personnel of the Aztek Corporation would have to carry out the challenging task of effective integration and maintaining security posture of the employee devices in to corporately monitored official virtual networks (Stavert, 2013). 4. Impacting factors for BYOD (Bring Your own device) in the IT Landscape The literature research on the BYOD policies in the Australian region have found out that most of the IT professionals till date, do not possess a secure BYOD policies to protect the corporate data owned by these companies (Orantia, 2013). The employees connecting their own devices to the organisaioal network, configuring confidential data, especially financial client data for Aztek Corporation, may be extremely risky on part of the corporation. These employee devices may be mislaid or even affected by malware that may result in undesired exposure of confidential data of the organization such as un-released financial reports of the corporation, or any other confidential client information. These mal functioning would risk the brand image of the business establishments, especially those operating in a financial services sector, for whom data and numerical figures are the most confidential information to be protected. Positive Impacting factors for BYOD in the IT LandscapeThe employees would have a hassle free experience of using the same laptops for their office as well as personal use. They may even access their emails and work documents from cafeteria, library, meeting rooms and lobby of the Aztek Corporations office premises. This would directly boost their morale and productivity at work (Sendall, 2014). The organization Aztek Corporation would also benefit immensely in terms of purchasing hardware infrastructure for work purposes. This proposed change would also attract budding talent from the industry who is seeking flexibility in terms of device usage at work. These actions would also spurt the hiring process of the organization.Negative Impacting factors for BYOD in the IT LandscapeThere are several drawbacks and negative impacts as well that are expected to influence this project decision. The Security and protection of the most valuable financial and transaction data of the corporation is the most pressing concern for allowing employees to bring their own devices at work (Miller, 2011). The corporation would have maintain better control on the number of users and number of devices being connected to the network of the corporation, that hosts confidential business information (Stavert, 2013). This may be achieved by installing better IT security measures. 5. IT Risk Assessment for desired project implementation (BYOD) at Aztek Corporation As discussed earlier, Aztek Corporation has envisaged allowing its employees across all the regional offices and heading office to bring their own laptops, mobile phones and tablets at their workstations that may be connected with the internal network of the company, linking these devices with the main server of the corporation through Wi-Fi modems. The following are the desired steps to be followed by Aztek Corporation for identifying the IT security risk considerations:1. Taking a risk management approach for implementing enterprise mobility- Measuring the exact changes in terms of risk profile for both employees as well as employers in the event of switching over from agency- devices to personally owned devices. 2. Consideration of the vivid technical options available with the Aztek Corporation in order to facilitate an informed decision for the company. This would include detailed analysis by the IT representatives of the organization on IT user needs of its employees in terms o f the amount and nature of information accessed by the employees, as well as the IT support services required to access this information.3. Bringing the unacceptable risks such as risk of accessing social networking sites through corporations web networks, to the notice of the senior management team and taking retrospective actions in the terms and policies of the Corporation is necessary step that Aztek Corporation may follow for identifying the relevant IT security risk considerations.The following are the prominent Information technology risks surrounding adoption of the desired changes at Aztek Corporation (Sendall, 2014), supported by various options to mitigate the listed risks:1. Risk of managing unknown third-party access via tablets and mobile applications Several of the employees install mobile applications for their personal use on mobile phones. This may result in unregulated third party access to sensitive information stored in the tablets or mobile device of an employ ee. Blacklisting at-risk software and managing an effective BYOD policy by the organization is one way of addressing these security risks. 2. Risks of probable challenges in data tracking The modern organizations have operations affiliated to both cloud and mobile storage services. This makes the ability to manage and track the corporate data even more difficult for the corporations. The Aztek Corporation carries regular data exchanges with the customers and trade exchanges, resulting in the additional risk exposure from the data movement on a real-time basis.Aztek Corporation may make use of content security tools that are equipped with several monitoring features to protect against data loss on mobile and network devices. 3. Risk of probable difficulty in data management and segregation for compliance-Data management and segregation supporting adequate compliance with the IT guidelines of the corporation would be indeed challenging with the adoption of new changes. A clear and we ll-documented list of policies and compliance documents with details of third-party devices used to store the data, have to be maintained by the IT support and surveillance department of the Aztek Corporation. 4. Risk of data leakage on account of loss of personal devices- The majority of the Tablets or mobile devices used by the employees are without a secured PIN or Password. The loss or theft of these handy devices may result in data leaks or data loss for the corporation, which would be indeed risky for its business operations.The Corporation may include immediate notification actions on part of employees in the policy documents devised for implementation of the project. This may result in immediate reporting of loss or theft of the personal devices to the Corporation. 6. Recommendations Aztek Corporation should clearly define the rules and guidelines for its employees pertaining to the use of personal devices at workplace in a policy document. This policy document should be linked to the employment agreement of the employees that would make the employees sign this agreement at the induction process itself. The existing staff of the Aztek Corporation, have to be conveyed these changes in the rules and regulations of the organization on a positive note through employee meetings and email. The Organization Aztek should also ensure that the existing employees also sign on the revised employment agreement that includes the policy guidelines of BYOD. Delivering effective training to the staff members of Aztek Corporation can also make of lot of positive difference in terms of appropriate use of their own devices on the organizations network (Orantia, 2013). Also the current customers and the clients of the Corporation should also be taken in to consideration, before imple menting the desired changes. Mailers should be proactively sent to each of the retail and corporate clients of the company, involving them in the proposed changes. The mailers sent to the client should effectively explain the long term benefits of the desired changes on the Corporations business operations and business efficiency. Also the clients should be made assured of continuation of the data confidentiality practices of the corporation, in spite of the proposed changes. The Following may be the brief outline of the BYOD Policy drafted for the Aztek Corporation- Acceptable Use Guidelines as per the policy: Limited personal use of devices during office hours Detrainment of use of camera applications inside the corporations premises Disapproval of storage/downloading of proprietary information of client and customers Social media websites and music apps not to be accesses at work Zero-tolerance policy for texting or emailing while driving Devices and supports allowed: Smart phones, tablets and laptops authenticated by IT department of the Corporation would be allowed The connectivity issues would be managed exclusively by IT support department of the Corporation. Devices may be presented to IT for configuration of standard apps, browsers and security tools Reimbursement policies: The Corporation would contribute in Annual maintenance charges of the device that would be done in liaison with the IT department. The company would pay employees an allowance towards data plan of their devices. Security Guidelines to be maintained: The company stick password policy have to be maintained for all the devices The devices must be locked with PIN if it remains idle for more than 5 minutes. Rooted (Android) or jail-broken (iOS) devices would be forbidden from usage. The employees devices would be remotely wipe in case of loss of device, termination of employment, policy breach or a security threat for the Organizations data and technology infrastructure. Other Disclaimers: Employees are expected to use their derives in an ethical manner Lost or stolen devices may be reported to the corporation within 24 hours. 7. Conclusion Allowing employees of Aztek Corporation to being their personal Laptops, mobile phones and tablets to work, and using them as part of corporate network would indeed be a significant break down from the tradition for Aztek Corporation, who even at present restricts inter departmental device (desktop) usage for data security purposes. The corporation would have to implement the desired changed by encountering several risk and challenges as mentioned in the report. The Corporation would have to install state of art IT infrastructure facilities such as adequate fire walls to restrict usage of unsafe internet applications, network protection at every levels, high security gateways and password protections for each of the user interfaces, etc. The cost wise benefits of allowing the employee devices would not be visible in the initial three years, as they would be compensated with the high fixed cost IT infrastructure for mitigating the predicted data security risks. The Market research org anization Gartner has predicted a substantial rise in the adoption of BYOD polices by the end of the year 2017. This firm has predicted that half of the organizations around the world would in fact insist their staff members to bring their own devices at work (Gartner, 2013). The adequate policy framework has to be intended for protecting the security and integrity of Aztek Corporations data and technology infrastructure. The Information technology representatives in co-ordination with the Human resources representatives of the Aztek Corporation should make the employee understand the implications of the desired changes in the organization. They should persist the employees to participate in the responsibility of maintaining data security and integrity in the organization by asking them to willing fully sign the revised employee agreement including the revise terms and conditions for connecting the personal devices of employees to the corporations network. References Australian Government website. (2015). Information security advice for all levels of government. Retrieved on February 13, 2015 from https://www.asd.gov.au/publications/protect/enterprise_mobility_bring_your_own_device_byod.htm BDO International Ltd. (2015). Doing by BYOD Right: How to establish a strong policy. BDO Australia Articles. Retrieved on February 13, 2015 from https://www.bdo.com.au/resources/articles/tmt/doing-byod-right-how-to-establish-a-strong-policy Berry Megan. (2015). BYOD Policy Template. IT Manager Daily. Retrieved on February 13, 2015 from https://www.itmanagerdaily.com/byod-policy-template/ Bodley-Scott Jamie (2014). BYOD for the financial services sector- are you ready? Retrieved on February 13, 2015 from https://www.bobsguide.com/guide/news/2014/Jun/11/byod-for-the-financial-services-sector-are-you-ready.html Browning John. (2012). Its a BYOD World. Dallas magazine. Retrieved on February 13, 2015 from https://www.dmagazine.com/publications/d-ceo/2012/november /its-a-bring-your-own-mobile-device-world Eddy Nathan. (2013). BYOD Risk high among Retail, Financial Services Organizations. Retrieved on February 13, 2015 from https://www.eweek.com/small-business/byod-risk-high-among-retail-financial-services-organizations Gartner (2013). Gartner predicts by 2017, half of employers will require employees to supply their own device for work purposes, Gartner Newsroom. Retrieved on February 13, 2015 from https://www.gartner.com/newsroom/id/2466615 McAfee (2011). Employee use of Personal devices: Managing risk by balancing privacy and security. Retrieved on February 13, 2015 from https://www.mcafee.com/in/resources/solution-briefs/sb-employee-use-of-personal-devices.pdf Miller Lloyd. (2011). Should Employees be allowed to use their own devices for work? The Wall street Journal. Retrieved on February 13, 2015 from https://www.wsj.com/articles/SB10001424052970203716204577013901949065394 Orantia Jenneth. (2013). The rise and rise of BYOD. The Age. Retr ieved on February 13, 2015 from https://www.theage.com.au/it-pro/business-it/the-rise-and-rise-of-byod-20130807-hv181.html Price Waterhouse Coopers. (2015). Australian Financial Services Sector. Retrieved on February 13, 2015 from https://www.pwc.com.au/industry/financial-services/ Sendall Antony (2014). Bringing your own device- managing the risk. Littleton. Retrieved on February 13, 2015 from https://www.littletonchambers.com/bring-your-own-device-%E2%80%93-managing-the-risks-659/ Stavert Bruce. (2013). Bring your own device in schools: Literature Review 2013. State of NSW, Department of Education and Communities, T4L Program- Information Technology Directorate.