audit will use the following criteria to evaluate the identified risks:
Describes how the given aspect of the
business/system should exist and/or function.
The “control” therefore is the definition of what should exist/occur.
Identification of what could go wrong,
both procedural and technical, with the control.
Classification of how likely this could
Determination of the effects of an
exploited risk and its impacts to confidentiality,
integrity and availability of the data
1.3.1 Business and Procedural Risk:
Netsol.com.pk’s business is operated by
one person. No established security
processes, procedures nor checks and balances exist. As a small business, Netsol.com.pk
is confronted with concerns associated with limitations on budgets, resources,
and functional expertise. Furthermore, Netsol.com.pk uses an
Service Provider, which therefore limits many physical as well as information
security controls. These constraints create major obstacles to ensuring
security best practices. The following table discusses these business and procedural
Control: Organization should have skilled and
available resources in order to effectively perform all necessary business
Concern: Few and inexperienced resources are
operating the Netsol.com.pk business, and therefore, they cannot effectively
manage all operations.
Likelihood: High- In small businesses, it is difficult
to financially support many resources with specialized skills, such as
The number of resources
working for Netsol.com.pk is limited and they do not have the time or the skills
to implement and follow appropriate security procedures and controls. An
exploit can take advantage of this lack of knowledge and resources.
Control: Industry best practice is to allocate 15%
of the company’s budget to Information Technology investment; this would
include costs for addressing security.
Concern: Limited budgets will not be able to
support the required hardware, tools, and resources required to securely
operate the business.
Likelihood: High- In small and particularly start up
businesses, funds are limited as they are funded by few investors. Therefore,
operating budgets are at a minimum.
Budget does not exist to
support the hardware, tools and resources required to support the existence of
security processes and controls within the company. Therefore, in the case of
an exploit, the appropriate tools and resources are not available to mitigate
and remediate the incident.
security policies and procedures
Control: A standardized set of processes should
be implemented within any operation to ensure all security concerns are
acknowledged and addressed. Examples of such processes would be the consistent
monitoring of audit logs and verifying users/groups and permissions allowed
into the systems.
Concern: Lack of these security processes
indicates that neither attention nor efforts are made to address security
needs. Furthermore, when a security incident does occur, there is no knowledge
or guidance of what to do.
Likelihood: Medium- Basic business plans should include
these standardized processes. Additionally, contracts with outsourcers should
include these policies and procedures.
operates in an insecure environment with little awareness of what security
vulnerabilities exist. In the event of an incident, business operations could
cease as little knowledge exists on how to control it.
physical security and access control
Control: The business should install physical
security measures in order to protect both their physical and information
assets. This would include appropriate locks to doors, desks and storage areas.
Furthermore, there should be established controlled processes for people who
wish to access them.
Concern: Without any physical security, there is
no way of preventing or identifying unauthorized people from gaining access to
proprietary and confidential data.
Likelihood: Medium- Most buildings and offices contain
some form of physical security. However, the enforcement of this security is
usually out of the business owner’s control, as physical security is usually
managed by an outsourced company.
Unauthorized people will gain
access into physical areas and be able to gain access to proprietary and
confidential data; thus compromising its confidentiality, integrity and
Nonexistent Backup and
stored in the system should be regularly backed up and stored in a secure
data is not regularly backed up, compromises to the system could result in loss
of all data which cannot be restored.
Back up of data should be a primary concern for the system administrator. In
any system compromise, the data will certainly be altered if not lost.
a system is compromised or mistakenly shut down and data is lost, Netsol.com.pk
potentially loses all information, which is detrimental to the operations of