Saturday, December 7, 2019
Government Risk Management Framework
Question: Discuss about the Government Risk Management Framework. Answer: Introduction: The Victorian government wants to establish a monitoring system to provide security to the confidential information. The objective is to determine the ownership for identifying the information, assessment of the information value, identification and management of the data security risks, application of the security measures, creating the positive organization culture for imposing security, and increasing the methods for providing data security. The company is working hard to provide the assurance actions for mitigating from the associated security risks (Venkatesh, 2015). The Victorian government requires a protective security policy framework to enhance the working of the government in national interest. The information security procedures should be created to cope up with the new threats, updated threats, and the occurrence of vulnerabilities. The management of the information helps in overcoming the problem seen in the disruption occurs in the business objectives. The positive sec urity culture in the organization helps in the deployment of continuous improvement plan which helps in enhancing the functions performed by the Victorian government for the betterment of the nation. The application of the Victorian government depends on the value of the information (Lebanidze, 2014)). The proper security procedures should be indulge to create the positive information value for the good will of the nation. The analysis of the risks associated with the working of the government helps in enhancing the decision making capability and providing priority to the security efforts which are undertaken by the government (Brezeanu, 2011). The government is working in the direction to protect the domains which are named as security to governance, security to information, security to personnel, security to information and communication technology, and provides physical security. The current working of the Victorian government is equipped with the risks equipped in the information sharing, assessment of information, management of information, inclusion of personal life cycle, security plans, business continuity plan, and information values. Identification of the areas of risks exposure: Risks Description Policies and operational responsibilities The associated person does not look on the policies and operational responsibilities provided to him Understanding of the information value The confidentiality, integrity, and availability of the information is not well-managed Security culture and monitoring system The risks associated with the system does not given consideration (Brown, 2016) Cost associated with the project The project can go above the allocated budget Security in governance The risks are not properly managed by the executives Security of information The lifecycle of the information should maintains the confidentiality, availability, and integrity of the project (Thomsons, 2011) Security of personal No un-authorised person should be able to access the confidential information of the government ICT security The risks are associated with the storage of information Physical security The security should be provided to the risks associated with the availability of resources, facilities, services, and equipment (Victorian managed insurance authority, 2016). Comparison between Deliberate and accidental threats exposure: The deliberate threat is the result of ignorance of the risks. The risks ignorance results into the occurrence of errors and irrelevancy. The occurrence of error can result into distortion and incompleteness of deploying the security framework in the working culture of the Victorian government (Perkins, 2014). The major impact of ignorance can be seen in the working of the Victorian government to take initatives for securing the information in terms of confusion, uncertainty, inaccuracy, unavailability, loss of confidential information, and fuzziness. The accidental threats are not known in advance. They can occur by chance (Wuest, 2013). The complete working of the Victorian government can get affected with the exposure of accidental threats because the government is not proactive to face such a situation which can change the current scenario of the government. The accidental threats can be categorised as non-availability of resources, flow of communication breakdown, and etc. (Stoneburner, 2014). In managing the security of the information, the Victorian government has to face many challenges and have to developed many mitigation programs to cope up with the challenges and issues in managing confidentiality and integrity of the information. The Victorian government facing problems in managing value of the information, in the application of the security framework, selecting and certifying security measures which should be specified for developing the framework, management of response associated with the security incident, monitoring and reviewing of implementing security framework, updating of security working programs, reflecting changing in the business operations, conducting external monitoring of activities, and others. The risks can be defined as the probability of losing or gaining something in carrying out the procedures of the Victorian government (Bansal, 2013). The uncertainty can be defined as the situation arises when the Victorian government have to take instant steps to face the situation for the betterment of the nation. The situation is not known before its existence. The risks associated with the securing the information of the Victorian government can be identified and managed (Bemile, 2012). The risks associated with the project can be measured. The uncertainty arises for managing the information of the Victorian government to prevent its confidentiality, integrity, and availability. The uncertainty cannot be measured before its occurrence. The outcome of the risks identification and management process is known before its existence whereas the outcome of the uncertainty cannot be predicted before its existence. The risks can be minimized by deploying the risks mitigation policies but the uncertainty cannot be reduced because it is an instant action. The probabilities of risks occurrence can be assigned but the probabilities of uncertainty cannot be predicted. The priority of risks management can be assigned with the prediction of the risks but the same is not applicable for uncertainty because it is uncontrollable. Approaches for risk control and mitigation: Particular Standard Objectives Control Security management framework It is the framework which is used for implementing and maintaining the risks associated with the size, risk posture, and resources (European commission, 2016) It helps in managing the security risks by providing: Security management framework to the organization for the arrangement of governance The security framework is used for monitoring and reviewing the arrangement for organization governance It helps in managing risks by promoting security protocols for overcoming risks environment The information security management framework is required by the organization to manage the risks associated with the resources and other equipment. Security risks management The risks management framework is used for managing security risks associated with the government The effective and efficient management schemes should be used for providing security mechanism to manage the security domains. The risk management framework is used for managing executive sponsorship It is used for identifying and recording of the risk register Monitoring and reviewing of the risks registered Updating the records of the risk registers periodically The security management framework used by the victorian government is named as Victorian government risk management framework. It is used for providing principles and guidelines to provide risks management security procedures It helps in managing the confidentiality, integrity and availability of information. Security policies and procedures The security policies and procedures are used for managing the risks associated with the size of the project, resources used, and associated risks posture The policies and procedure helps in providing strategic direction for managing the risks effectively. It helps in fulfilling the security requirement of the government The security framework is used for monitoring and reviewing the arrangement for organization governance It helps in managing risks by promoting security protocols for overcoming risks environment The protective security policies framework has been developed for overcoming risks by utilizing the policies and procedures used by the government for risk management. Accessing of the information The standard risks security procedures should be used for defining the risks management plan for public data. The executive sponsorships should be maintained for deploying the access management schemes. The security framework is used for monitoring and reviewing the arrangement for organization governance It helps in managing risks by promoting security protocols for overcoming risks environment. Code of information security controls should be deployed for resolving the issues related to risks management of the enterprise. The activities of the organization should be aligned with the access management using the standard code of information security controls. Security Obligations The security obligations should be reviewed by the organization by using the documentation and communication schemes for accessing public data The security obligations are used for personal management program. It is used for embedding the daily functions and activities for the reflection of personal management. The protective security policies framework has been developed for overcoming risks by utilizing the policies and procedures used by the government for risk management. The protective security guidelines should be used for managing the security responsibility of personal management Security training and awareness The training and development program should be organized for ensuring the security procedures for public data management. The personal management can be exploring by deploying the training and development program. Monitoring and reviewing of the personal management program. The procedures should be undertaken for developing the security risks environments (Walker, 2011). The protective security policies framework is used for providing the guidelines for securing the guidelines of personal security. Security incident management The security policies and procedures are used for managing the risks associated with the size of the project, resources used, and associated risks posture. The security risks environment is used for managing activities for securing incident management. The security incident management activities are used for improving the incident management of the organization The investigation techniques are used for reporting and providing security guidelines to evolve security associated with risk environment. Business Continuity management The business continuity management program used for addressing the security procedures for public data. The capability of the organization can be enhanced by managing confidentiality, integrity, and availability of public data. The executive sponsorship should be managed for providing security requirement to develop business continuity management program. Monitoring and reviewing of security procedures should be done periodically. The security risks environment should be evolved by deploying the business continuity management program The business continuity management program has three sectors to be undertaken which are categorised as continuity of the business, disruption in the management, and related risks (Kutsch, 2010). Contracted service providers The Victorian protective data security standards are used for ensuring the public data accessed by contracted service providers. The security domains which are analysed by the Victorian government are development and planning phase, arrangements of contracted service providers, monitoring and reviewing of security requirements, and evolving risks environment The outsource service and functions should be incorporated in the protective security policy framework. Developing and managing contracts should be signed for getting better security mechanism. Government services The Victorian government provides data security standards for ensuring disclosure, transfer, management, and collection of data. The service level agreements should be signed for ensuring the planning and development phase. The service level agreements should be monitored and reviewed periodically to give best practices Protective security policy framework is used Security plans The security risks can be managed by implementing and maintaining data security procedures (Vassileios, 2011). It is used for identifying decision which are cost effective and capable of securing private dat. Identification, assessment, and recording of the risks are used for managing the risks in the organization. The privacy and data protection act is used for ensuring security ot data. The business planning process should be monitored and reviewed periodically. The compliance management system is used for aligning the compliance security activities. Information value The integrity, confidentiality, and availability of the data should be managed The executive sponsorship should be managed for developing information management framework The information security guidelines should be incorporated in the security framework. Information management The information management framework is used for maintaining the security of the information (Nia, 2017). The security controls and procedures should be monitored and reviewed periodically (Ormrod, 2013). The information management principles should be incorporated with the security framework developed for the Victorian government. The data validation and security act should be undertaken Information sharing The security controls should be used for ensuring security of the public sector data (Tara, 2015) The information management framework is used for securing information (Steen, 2013). The risks associated with the sharing of data should be periodically reviewed and updated. The code of information security controls are used for transferring and sharing of information between different sectors. Personal Life cycle The security controls should be given privilege to ensures implementation and maintenance of personal security The personal security controls are used for implementing organization personal management. It is used for monitoring and reviewing of the organization personal management. The personal security management programs should be used in the security framework Information communication technology life cycle The ICT security controls should be used for securing the activities related to information communication technology. The executives sponsorship should be used for providing ICT security controls. The reviewing and monitoring of information technology and security controls. Information security manuals should be incorporated with the security framework of the organization. Conclusion: The Victorian government is looking forward to drive a set of risks management program which helps in smooth functioning of the activities. The management schemes helps in maintaining information confidentiality, integrity, and availability throughout the project life cycle. The development of the security domains help in analysing the information security management schemes. The unauthorised accessing of information should be completely restricted. The security mechanism should be employed for managing the accidental loss of information. The risk management plan helps in retaining the information value which is classified as confidentiality, integrity, and availability. The value of the information can be improved by securing the information from losing its confidentiality and integrity. References Bansal, B. (2014).Corporate governance and risk management in insurance sector: A review of literature. Retrieved from https://www.ijsrp.org/research-paper-1014/ijsrp-p3407.pdf Bemile, R. (2012).Guide to risk assessment and response. Retrieved from https://www.uvm.edu/~erm/RiskAssessmentGuide.pdf Brezeanu, P. (2011).Does corporate governance impact risk management system. Retrieved from https://store.ectap.ro/articole/580.pdf Brown, R. (2016).Victorian Government risk management framework: Practice notes. Retrieved from https://www.google.co.in/url?sa=trct=jq=Research%20paper%20pdf%20on%20Victorian%20government%20risk%20managementsource=webcd=2cad=rjauact=8ved=0ahUKEwiqj-fn1ezVAhWLwI8KHW5OCOcQFggqMAEurl=https://www.vmia.vic.gov.au/~/media/internet/content-documents/risk/vgrmf/vgrmf-practice-notes-risk-culture.pdfusg=AFQjCNGI9XM3W3ZDFt2KpQT1EZ_3F-NbOA European Commission. (2013).Risk management in the procurement of innovation. Retrieved from https://ec.europa.eu/invest-in-research/pdf/download_en/risk_management.pdf Kutsch, E. (2010).Deliberate ignorance in project risk management. Retrieved from https://dspace.lib.cranfield.ac.uk/bitstream/1826/5114/1/Deliberate_ignorance_in_project_risk_management.pdf Lebanidze, E. (2014).Guide to develop a risk mitigation plans. Retrieved from https://www.smartgrid.gov/files/CyberSecurityGuideforanElectricCooperativeV11-21.pdf Nia, S. (2017).Effects of corporate governance structures on enterprise risks management practice in Malaysia. Retrieved from https://www.econjournals.com/index.php/ijefi/article/viewFile/2570/pdf Ormrod, P. (2013).Corporate governance and Risks: A study of board structure process. Retrieved from https://www.accaglobal.com/content/dam/acca/global/PDF-technical/corporate-governance/rr-129-001.pdf Perkins, R. (2014).The role of risk management in data protection. Retrieved from https://www.informationpolicycentre.com/uploads/5/7/1/0/57104281/white_paper_2-the_role_of_risk_management_in_data_protection-c.pdf Steen, A. (2013).Risk management in corporate governance: A review and proposal. Retrieved from https://onlinelibrary.wiley.com/doi/10.1111/j.1467-8683.2009.00763.x/abstract Stoneburner, G. (2014).Risk management guide for information technology system. Retrieved from https://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf Tara, S. (2015). Corporate governance and Risk management: An Indian perspective. Retrieved from https://researchleap.com/wp-content/uploads/2015/08/3.-Corporate-Governance-and-Risk-Management-An-Indian-Perspective.pdf Thomson, R. (2011).Victorian government risk management framework. Retrieved from https://www.google.co.in/url?sa=trct=jq=Research%20paper%20pdf%20on%20Victorian%20government%20risk%20managementsource=webcd=5cad=rjauact=8ved=0ahUKEwiqj-fn1ezVAhWLwI8KHW5OCOcQFgg7MAQurl=https://www.dtf.vic.gov.au/files/26637dd0-0933-41f7-9564-a6f200b16c9b/Victorian-Government-Risk-Management-Framework-December-2016.pdfusg=AFQjCNEQWVIJAdpC_saLQvI93OoYi2F7mA Vassileios, K. (2011).Relation between corporate governance and risk management during the credit crisis. Retrieved from https://mibes.teilar.gr/proceedings/2011/oral/12.pdf Venkatesh, R. (2015).An introduction to information system risks management. Retrieved from https://www.sans.org/reading-room/whitepapers/auditing/introduction-information-system-risk-management-1204 Victorian managed insurance authority. (2016).Victorian Government risk management framework. Retrieved from https://www.google.co.in/url?sa=trct=jq=Research%20paper%20pdf%20on%20Victorian%20government%20risk%20managementsource=webcd=1cad=rjauact=8ved=0ahUKEwiqj-fn1ezVAhWLwI8KHW5OCOcQFgglMAAurl=https://www.vmia.vic.gov.au/~/media/internet/content-documents/risk/risk-tools/risk-management-guide/vmia-practice-guide.pdfusg=AFQjCNE_MnkXzbiNFfa7VI4STur2sRJTNQ Walker, M. (2011).Public services: Inter-agency risks. Retrieved from https://mams.rmit.edu.au/0wqb9pk1hn2pz.pdf Wuest, W. (2013).Risk management and corporate governance. Retrieved from https://www.oecd.org/daf/ca/risk-management-corporate-governance.pdf
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.