Risk assessment is the first process that an organization takes to determine the depth of potential threat and, to an extent, the risk associated with the IT system. The risk assessment is meant to determine the level of risk IT systems have been exposed to during an attack. However, in the case of Home Depot, it is important to analyze the type of risk, the risk level, and the IT assets that are vulnerable to attack (Taiwe, 2014).
System Characteristics
The first step in risk assessment should be to look into the system characteristics of an organization. System characteristics are the type of input and output that an organization uses. It is the hardware and software applied by an organization to drive the business. The outputs are hardware, system interface, data, and information, people, and software. The outputs are system and data sensitivity, system boundary, and functions. Home Depot has servers, network infrastructure, a point of sale, a communication server, and a data server (Nikolić & Ljiljana, 2015). These systems are vulnerable to attack both internally and externally, and therefore, necessary actions must be taken to protect the system. However, IT assets should be gathered and listed based on the level of deployment, security features, listed year of purchase, and serial number of each asset as well.
Threat Identification
In order to identify the threats, we look at the history of the threats that had attacked the organization and, in this case, the Home Deport. The focus should not be limited to the company alone but the environmental government system and other companies to identify threats easily. The system is likely to be attacked by hackers, viruses, and phishing of data (Stoneburne, Alice, & Alexis, 2018). The common threats that are likely to occur are human threats such as unauthorized attacks, malicious upload of viruses or any attack, and data breaches. It is also possible to get threats from the recklessness of employees and misuse of the system. Home Depot is likely to receive threats from hackers, unauthorized access to the data and access information, and computer criminals due to the fact that it has received such threats before.
Vulnerability
The vulnerability is the flaw in the system, which makes it weak to be attacked both internally and externally. However, the firewall installed allows unauthorized access to the system because it allows inbound telnet to the server, and this, therefore, gives authorized persons access to the server to alter information. Former employee’s IDs have not been removed from the system, and this creates an entry point for unauthorized persons. It is also likely that the vendor of the system or any hardware has identified entry to the system (Elky, 2012).
Control Analysis
The system is protected from the gateway, and the security policies in place are also strong, which can protect the system from attack (Stoneburner, 2014). Based on the analysis, computers are also protected with passwords, but more needs to be done to change passwords and upgrade the system as well. In the future, it is better to improve controls through the implementation of level three securities in the gateway to prevent any access to the firewall.
Likelihood Of The Attack
The IT system is likely to be attacked by its servers through the firewall where the vulnerability has been identified. The threat can be in the form of phishing, hacking, and malicious attacks, which are likely to occur.
Risk Determination And Recommendation
It is likely that the system will be attacked in the future, and therefore, it is recommended that a backup system be installed remotely to be used as a buffer when the system is attacked. It is also advisable to come up with policies that can make sure that all IT assets are properly protected. All vendors should be checked thoroughly to make sure that no back route to the system has been intentionally created by vendors.
References
Elky, S. (2012). An Introduction to Information System Risk Management. 2-17.
Nikolić, B., & Ljiljana, R. (2015). Risk Assessment of Information Technology Systems.
Issues in Informing Science and Information Technology, 2-35.
Stoneburne, G., Alice, G., & Alexis, F. (2018). Risk Management Guide for Information
Technology Systems. National Institute of Standards and Technology, 2-34.
Stoneburner, P. (2014). The Purpose of IT Risk Assessment | SolarWinds MSP. 1-34.
Taiwe, N. (2014). Risk Assessment Process. Information Security, 2-34.