Risk assessment is the first process which an organization takes to determine the depth of potential threat and to an extent the risk is associated to the IT system. The risk assessment is meant to determine the level of risk IT systems have been exposed to during an attack. However, in the case of Home Depot, it is important to analyze the type of the risk and the risk level and final the IT assets which are vulnerable to attack (Taiwe, 2014).
System Characteristics
The first step in risk assessment should be look into the system characteristic of an organization. System characteristics are the type of out input and output which an organization uses. It is the hardware and software applied by an organization to drive the business. The outputs are hardware, system interface, data and information, people and software. The outputs are system and data sensitivity, system boundary and functions. Home Depot has servers, network infrastructure, and point of sale, communication server, and data server (Nikolić & Ljiljana, 2015). These systems are vulnerable to attack both from internal and external and therefore, necessary actions must be taken to protect the system. However, IT assets should be gathered and listed based level of deployment, security features and listed year of purchase and serial number of each asset as well.
Threat Identification
In order to identify the threats, we look at the history of the threats which had attacked the organization and in this case the Home Deport. The focus should not be limited to the company alone but the environment government system and other companies to identify threat easily. The system is likely to be attacked by hackers, virus and phishing of data (Stoneburne, Alice, & Alexis, 2018). The common threats which are likely to occur are human threats such as unauthorized attack, malicious upload of virus or any attack, and data breach. It is also possible to get threat from recklessness of employees and misuse of system. Home Depot is likely to receive threats from hackers, unauthorized accessed to the data and access information and computer criminals due to the fact that it has receive such threats before.
Vulnerability
The vulnerability is the flaw in the system which makes it weak to be attacked both from internal and external. However, the firewall installed is allowing unauthorized access to the system due it allows inbound telnet to the server and this therefore, gave authorized person access to the server to alter information. Former employees IDs have not been removed from the system and this create an entry point for unauthorized person. It is also likely that the vendor of system or any hardware has identified entry to the system (Elky, 2012).
Control Analysis
The system is protected from the gateway and the security policies in place are also strong which can protect the system from attack (Stoneburner, 2014). Based on the analysis computers are also protected with passwords but more need to be done on changing passwords and upgrading system as well. In the future, it is better to improve controls through implementation of level three securities in the gateway to prevent any access to the firewall.
Likelihood of the attack
The IT system is likely to be attacked from its servers through the firewall where the vulnerability has been identified. The threat can be in the form phishing, hacker and malicious attack, which is likely to occur.
Risk determination and recommendation
It is likely that the system can be attacked in the future and therefore, it is recommended to put in place a backup system remotely to be used as buffer when the system is attacked. It is also advisable to come up with policies which can make sure that all IT assets are properly protected. All vendors should be checked thoroughly to make sure that any back route to the system is not intentionally created by vendors.
References
Elky, S. (2012). An Introduction to Information System Risk Management. 2-17.
Nikolić, B., & Ljiljana, R. (2015). Risk Assessment of Information Technology Systems .
Issues in Informing Science and Information Technology , 2-35.
Stoneburne, G., Alice, G., & Alexis, F. (2018). Risk Management Guide for Information
Technology Systems. National Institute of Standards and Technology , 2-34.
Stoneburner, P. (2014). The Purpose of IT Risk Assessment | SolarWinds MSP. 1-34.
Taiwe, N. (2014). Risk Assessment Process. Information Security , 2-34.
