Project 13.3: Assessing Risk Management According to the FFIEC Information Security InfoBase Handbook (Appendix A), the initial step in a regulatory Information Technology Examination is to interview management and review examination information to identify changes to the technology infrastructure, new products and services, or organizational structure. 1. Explain how changes in network topology, system configuration, or business processes might increase the institution's information security-related risk. Provide examples. 2. Explain how new products or services delivered to either internal or external users might increase the institution's might increase the institution's information security-related risk. Provide examples. 3. Explain how loss or addition of key personnel, key management changes, or internal reorganizations might increase the institution's information security-related risk. Provide examples.

Question

Engineering

Alannah Hebert

28 May, 23:34

Project 13.3: Assessing Risk Management According to the FFIEC Information Security InfoBase Handbook (Appendix A), the initial step in a regulatory Information Technology Examination is to interview management and review examination information to identify changes to the technology infrastructure, new products and services, or organizational structure. 1. Explain how changes in network topology, system configuration, or business processes might increase the institution's information security-related risk. Provide examples. 2. Explain how new products or services delivered to either internal or external users might increase the institution's might increase the institution's information security-related risk. Provide examples. 3. Explain how loss or addition of key personnel, key management changes, or internal reorganizations might increase the institution's information security-related risk. Provide examples.

+4

Answers (1)

Know the Answer?

Jeffery Benton · Answer 1

1. Changes in network topology or system configuration might bring security-related challenges. For example, adopting a new system configuration which is low in cost but also very new in the Industry might be vulnerable to the existing security.

2. New products or Services which are delivered to either the Internal/External users might be prone to security issues.

Let say a product 'A' has been launched by a company 'X' and for testing purpose it has been given to the internal users. Now as this product 'A' is a product of 'X' itself it will be allowed to carry in the official premises and if some user tries to hack this product and can make the product potentially harmful w. r. t security.

3. Consider a scenario where there is a change in management & team, the team members which were thoroughly responsible for Security kinds of stuff are dissolved into different teams. Also new members are hired for the team. Now, since the new members will need some time to get adapted to the Business As Usual things there are high chances of a security level not maintained as it was earlier by the old guys. This could be due to undocumented things in the organization or due to lack of Knowledge Transfer to the new joinees.