Group member:

Peter Kong Kee Hieng 1122700625

Low Kim Hoe 1122700369
IT Risks
IT risk is the potential that given threat that will bring a series of negative impact to the
organization. IT risk is measured in possibility of event and its consequence happening. Because
of the IT risk itself is the huge area therefore in this report, we narrow down to a specific IT
activity. The Personal Device Security is chosen for the following discussion in this report.
Today, technology let everyone has their own personal device. The personal device can
be a computer, mobile phone,tablet,smartwatch and even more because of the growth number of
the personal device, the security issues become the major concern for the security of the personal
device. It can be cause serious impact to the many areas if no take serious action to prevent it.
There are many IT risks which can cause the seriously impact to the MMU ITSD. First,
installing third party application on personal device to access the organization data this is
bringing security risks to MMU ITSD because sometime the third party application contains
malware or virus that can could exposed the MMU privacy data or the sensitive data to the
outside. The users personal data on the personal device might be steal by those third party
application for the illegal use of purpose. Some of the third party application will force the user
to visit or connect to the malicious URLs.
The second IT risk can be happening if the old personal device such as laptop and
desktop is being sold or recycled, and the data stored in hard drive is no properly erased or
disposed. There is the chance to recover the data by the hacker or thief with just few simple
software. Therefore, there are high risk of organization's sensitive data might be exposed and use
for the illegal activities.
The third IT risk will be the operating system that running on the personal device is
always out of date. Some is there are some latest security patches is not install on the device to

fix the security holes. For example, on smartphone operating system, Android is the ecosystem is
big and it need take long time to let the phone manufacturer to release patched to fix the security
issues. Therefore, there is high risk of hacker will hack into the device to steal the personal data.
The fourth IT risk under the personal device security is, lost and stolen device. ( EY, 2013)
This risk might slightly similar with the second IT risk. There is the big amount of personal
device are stolen every year. (EY, 2013) Those personal devices may contain some sensitivity
data or useful information. The hacker or thief may recover the sensitivity data from the stolen
device. Example, the conversation history between the high committee of the MMU ITSD. The
conversation may be the top secret of the ITSD or the planning activities in the future. If the
private information is exposed or leaked to the public, it will totally affect the ITSDs
performance. and disturbed the planned activities in the future.
The following IT risk will be the lack of cyber security knowledge among the lecturer
and students. They are lack of train cyber security knowledge will be extreme threat to the
organization. They must to understanding the latest information about the cyber threat on the
Internet, for example, if the employee accidentally clicks the phishing link in the e-mail inbox,
he or she personal data might steal easily for the illegal of use.
Besides that, the USB device could be another high risk threats to the personal device
security. (Pennie Walters, 2012) Nowadays, lots of the organizations are allowed their employee
using their USB device to work, such as pen drive and external hard disk. The employee may
store the sensitivity private data into their USB device. There are few causes towards to
organization vulnerability by the USB device. For the example, employee may have plugged in
their USB device into the computer which contains the Trojan. USB device may have inflected
after plugged in. The Trojan is quite dangerous for the personal device; it will corrupt or stole the
sensitivity private data. Formatting is the another potential IT risk to the USB device. The
employee may format the USB device before they used, they may forget what kind of sensitivity
data or information stored into USB device.
COBIT Domains

a) Plan and Organize (PO)

b) Monitor and Evaluate (ME)
COBIT Process
PO1 Define a Strategic IT Plan
PO4 Define the IT Processes, Organization and Relationships
PO9 Assess and Manage IT Risks
ME1 Monitor and Evaluate IT Performance
ME2 Monitor and Evaluate Internal Control
COBIT Control Objective
PO 1.4 IT Strategic Plan
PO 4.8 Responsibility for Risk, Security and Compliance
PO 9.4 Risk Assessment
ME1.1 Monitoring Approach
ME2.1 Monitoring of Internal Control Framework
IT controls activities
After define all the possible IT risks of personal device for MMU ITSD, well list out the
IT control activities in order to decrease the percentage the risks occur. The following process is
provided a guideline to the MMU ITSD while the risks happened.
Now, well describe the IT control activities in the following risk we defined, which is
the risk of third party application. The ITSD department itself need to set a IT strategy plan that
is to encourage their students and employee in the university to use the only official application
that is only developed by the ITSD to access the sensitive data in order to prevent the data
sensitive being access by the unauthorized person.
Next, many of the organizations do not know which third-party supplier contracts are
active, what information suppliers have access to and what the most critical data assets are, he
told Computer Weekly( Warwick Ashford, 2015), therefore ITSD have to carry out the risk

assessment to find out that the third party application that is developed for the MMU is safe to
use. For example, ITSD need to examine the third party application such as MMU Hub, Ebee
those mobile applications that is access to MMU data is being used for general purpose use and
no for others purpose use.
After that, the ITSD must only selected a trustee supplier for developing the application
to use. The ITSD also need sign contract with the supplier to ensure that the application that
developed is use general purpose of use.ITSD also can set up security check to detect the source
of application coming. For example, ITSD can block all the third party application to access to
the server.
Besides that, the ITSD also need educate their students and employees about the risks of
using third party application and bringing the awareness message to them that the personal data
may be stolen anytime. ITSD need give encourage to them to install the official application to
access the data.
Well describe the IT control activities in the following risk we defined, which is old personal
device risk. ITSD should check the employees personal device and request them to dispose the
sensitive information before they leave from the office in the certain period. This action might
make some troublesome for the employee but it is able to decrease the risks occur.
After that, ITSD have to organize a talk about the old personal device risk, and invite the other
company to share their experience how to deal with the old personal device risk. ITSD can use
their experience as reference in order to plan out the more effective way to decrease the
percentage of risk occurs.
Besides, ITSD is encouraged to use the utility program like Disk Wipe and Dariks Boot to
wipe the old personal device. Those program is recommended from the Jack Schofield, and
these program are freeware. It helps ITSD to save the cost to buy the program. Nowadays the
technology changes rapidly, the people often change their personal device. The sensitive
informations in the old personal devices are the high risk to threaten the organization. Therefore,

ITSD to ensure that the utility program they buy is trustee program and the function works for all
the personal devices with the different operating system.
The IT control activities in the following risk we defined which is operating system that
running on the personal device is out of date. The outdated operating system running on the
personal device might hidden some security hole let the hacker easily hack into the personal
device. Therefore ITSD have to monitor the employee's and student personal device operating
system to ensure that they have install the latest version of the operating system.
Following, the ITSD should set the enforcement to all the student's and employees
personal device to force them install the latest operating system or the latest security patches to
the operating system itself in order to access any services that required internet. For example,
ITSD can set the minimum requirement version of operating system that can only access to the
services this can reduce the security risks.
This leaves an exploitable device in your network, waiting for attackers to use it to gain
access to your data. (Jennifer Lonoff Schiff) from the statement, we know the outdated operating
system is full risk to let the attacker to access the data especially in a big company all the
computer operating system is outdated. Therefore, ITSD have to ensure that all the MMU
computers operating system is up to date and also install with the anti-virus in order to protect
the operating system itself more secure reduce the risk hacked by the hacker.
Apart from that, stolen personal device could be the another risk to threaten the
organization. Therefore, we have defined a series of IT control activities in order to control the
risk. Password is the strongest defense to protect the sensitive data in the device. ITSD is able to
create a complicated password which contains lower case, upper case, number and special
character. It enhanced the security level of the personal device, and make harder for the hacker
who are hacking the personal device.
Furthermore, ITSD encourages the employee to install the tracker apps in order to protect
the device and increase the percentage find back the stolen device. Although the device have to

turn on, have the cellular data connection, and able the GPS. At least, its imperative while the
device is lost or been stolen. We are able to do something to find back the stolen device.
Besides, ITSD should set the enforcement to all the student and employee about their
belongings. The enforcement should clearly list out the people have their own responsibility to
take care of their belongings especially the personal device, and dont leave the device
unattended in the public area. ITSD have to take the action about the found lost device. For the
example, ITSD can give the summons to the people who didnt take care of their device.
After that, encryption will be the another IT control activity to pretend the risk occurs.
ITSD is able to encrypt the data which is confidential. And also, ITSD is take the responsibility
to write the encryption algorithm. After encrypt the information, only the high committee could
have the decryption key. High committee is able to decrypt the sensitive information to the
employee who is qualified to access the information. This action is helped to protect the
sensitivity of the data information.
The IT control activities in the following risk we defined which is lack of cyber security
knowledge. In this 21st century the people without any knowledge cyber security because the
hacker can easily steal personal detail, money and etc. For example, if a person without any
knowledge of cyber security he or she will easily cheated by the online phishing, he or she online
account money will steal.
Therefore, ITSD need give enough training or talk to the MMUs student and employee
because user is weakness and easily attack by the hacker. With the training given by the ITSD,
they able to determine clearly which link is real and which no real so that no easily get cheated
and download the file from the unknown source without proper checking.
ITSD also can conduct the online quiz about the security knowledge among the student
and employees. With the help of the online quiz, they able get to know the latest cyber threat
news and improve their cyber knowledge at the same time.

ITSD also need encourage them to use spam and web filter to close windows of
vulnerability. With the help of spam can help filter out unwanted e-mail or scam e-mail that send
to their email inbox. With the help of web filter, ITSD should to limit the access for them to the
unused website which can reduce sensitive data can be steal easily from the unknown website.
ITSD also need give encouragement to them report any strange problem happening on
their computer to ITSD.Besides that, ITSDs IT staff also should regularly keep update on the
latest news and information about the latest cyber threat so that have the knowledge on how to
defend against them.
At the last, the following IT control activities we defined are used to control the risk
which is USB device. ITSD should encourage the employee to install the antivirus program into
their personal device. The computer is enable to detect the Trojan which is contain from the USB
device. The employee should open the antivirus program to scan through the USB device after
they plug in USB device. This action is enable to enhance the employees knowledge about the
security check for the USB device.
After that, this control activity might bring some trouble to ITSD. But this activity will
control the risk efficiently. ITSD needs to prohibit the employee bring their USB device for
work. There are lots of different type of USB device in the market, the employee might have no
idea their USB devices are inflected or not. By the way, ITSD should provide the solution about
banned to bring their USB devices, which is purchase the USB devices to the employee. Before
the purchasing, ITSD must find the trustee supplier to purchase the USB devices and ensure that
the devices are not inflected.
In a nutshell, this control activity is similar with the activity used for stolen device risk
which is encryption. It means that the sensitive data is required to encrypt in order to enhance the
security level of the data. ITSD is able to encrypt the data which is confidential. At the first,
encryption algorithm is an essential for the encryption process. ITSD should form a development
team for the whole encryption process. After that, the employee is required to retrieve all the
sensitive data and encrypt all. After the encryption, ITSD is requested the employee do the

checking ensure that all of the confidential is encrypted. High committee is the only person hold
the decryption key. The less people hold the decryption key; the less IT risk occurs. High
committee is the only one able to decrypt the sensitive information for the employee who is
qualified to access the information. This action is helped to protect the sensitivity of the data
information.
Internal Control (IC) flowchart

The Internal Control (IC) flowchart shows the IT control activity for third party application risk.
1) The user installs third party application to access the services.
2) If the application is no official application, it will submit to the ITSD department to
examine the third party application.
3) The system will check to whether the user is install official application if yes, the system
will allow the application to access to all the services.
4) The supplier sign contract with the ITSD for developing an application to ensure that the
application that developed is use general purpose of use

5) The application is submitting to the ITSD department for examine it.

6) If the application is safe, the application is allowing for the application to access the
services
7) If the application is no safe, the ITSD will block all access for the application to the
services.

COBIT Process Description

PO9 Assess and Manage IT Risks- To prevent the sensitive data access by the third party
application. The ITSD has suggest user to install the official application that developed by the
ITSD.

COBIT Control Objective

PO 9.4 Risk Assessment- ITSD carry out the examine process to check all the third party
application that access to services to ensure that sensitive data is no misused.

The Internal Control (IC) flowchart shows the IT control activity for USB device risk.

1. ITSD development is able to write the encryption algorithm for the process.
2. The employee is required by the development team to retrieve all the sensitive data.
3. If the data is still existing, the employee have to retrieve again the remaining sensitive
data.
4. The employee has to submit all the sensitive data to the development team, let them to
encrypt the data.
5. After the encryption, the development team have to give the decryption key to the high
committee.
6. The employee has to submit the request form to the high committee for access the
sensitive data.
7. High committee is required to use the decryption key to decrypt the sensitive data.
8. High committee is able to reject the request form.

COBIT Process Description

ME2 Monitor and Evaluate Internal Control- ITSD encrypt the data which is confidential and
important to the company

COBIT Control Objective

ME2.1 Monitoring of Internal Control Framework- ITSD writing a special program that is
special design for encrypt the sensitive data in order to prevent the data is exposed to the outside
of the world.

Conclusion
As the conclusion, the Internet of thing has bigger and bigger, the security of personal
device become a worry among the whole world. Especially in a big company it causes increased
risk of exposing the office to malware because those personal devices can be stolen, lost or

hacked. Those sensitive data can be accessed easily by outside of the world and this is will cause
the company lost billion dollars if the personal device is stolen or hacked.
ITSD have to ensure that the risk of personal device has to reduce to the minimize that
without affect the company's daily operation. ITSD also have to regular to keep update the
security up to date to prevent out of world hack in to steal the sensitive data. Besides that, ITSD
also set a rule and policy for the personal device to the student and employees in order they can
follow rule and regulation this to ensure the occurrence of the security risk to minimum.
Supporting document

Figure 1.0
Figure 1.0 show the poster by the ITSD giving awareness no using third party application.
source : http://itsd.mmu.edu.my/ict/40.html

References
1) PennieWalters (2012) The Risks of Using Portable Devices Retrieved from:
https://www.us-cert.gov/sites/default/files/publications/RisksOfPortableDevices.pdf

2) EY (2013) Bring your own device Retrieved from:

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&cad=rja&uact=8&ved
=0ahUKEwj4cfM463KAhWUT44KHbtHDPU4ChAWCD4wBA&url=http%3A%2F%2Fwww.ey.com%2FPublic
ation%2FvwLUAssets%2FEY__Bring_your_own_device%3A_mobile_security_and_risk%2F%24FILE%2FBring_your_own_de
vice.pdf&usg=AFQjCNEmgUhdXc3lVAhSAcJZ6wonhvXlIg&sig2=4L0xyjkI2MQR4CFtw6zcTw&b
vm=bv.112064104,d.c2E
3) Rapid (2013) The Rise and Risk of Mobile Devices in the Workplace
Retrived from: https://www.rapid7.com/docs/mobile_aug_2013.pdf
4) Michael Coone (2010) 10 common mobile security problems to attack
Retrieved from:
http://www.pcworld.com/article/2010278/10-common-mobile-security-problems-to-attack.html
5) Allison Erdman (2015.06.01) The 3 Biggest Mobile Security Risks
Retrieved from :
https://blog.catavolt.com/2015/06/3-biggest-business-security-risks-in-your-organization/
6) Deloitte (2014) Mobile devices Secure or security risk?
Retrieved from :
https://www2.deloitte.com/content/dam/Deloitte/ie/Documents/Risk/mobile_device_secure_secu
rity_risk.pdf
7) David Poarch Matt Cook Anne Grahn (2015.06.08) Mobile Device Security in the Workplace: 6
Key Risks & Challenges
Retrieved from :
http://focus.forsythe.com/articles/55/Mobile-Device-Security-in-the-Workplace-6-Key-Risks-andChallenges
8) Warwick Ashford,(2015.08.26),Many firms not getting to grips with third-party data security

risk
Retrieved from:

http://www.computerweekly.com/news/4500252340/Many-firms-not-getting-to-grips-with-thirdparty-data-security-risk //

9) Jennifer Lonoff Schiff,(2015.01.25), 6 biggest business security risks and how you can fight
back
Retrieved from:
http://www.cio.com/article/2872517/data-breach/6-biggest-business-security-risks-and-how-youcan-fight-back.html?page=2
10. Jack Schofield(2015.2.19), How can I safely recycle my old PCs?
Retrieved
from:
http://www.theguardian.com/technology/askjack/2015/feb/19/how-safelyrecycle-old-pcs-computers
11) Robert Siciliano (2015.04.13 ),The Danger of the Bring-Your-Own-Device-to-Work Trend

Retrieved from :
http://www.entrepreneur.com/article/243546
12) Nate Lord (2016.01.12), BYOD Security: Expert Tips on Policy, Mitigating Risks, &
Preventing a Breach
Retrieved from :
https://digitalguardian.com/blog/byod-security-expert-tips-policymitigating-risks-preventing-breach