Skip to main content

Unit 3

Risk identification report

[Download PDF]

Risk identification report — Reflection

The assignment prompted me to focus on multiple objectives and conduct diverse research. First, a research on whether digital transformation is sensible for the business was required. Then, to supplement these business-focused findings, two risk assessments were conducted to illustrate how the risks for the enterprise change as a result of digitalisation.

While completing the first objective, I had to research what effect digitalisation (or lack thereof) will have on the business. This required looking into the papers that focus on how businesses survive in the digital era, as well as how online presence of a business is connected with its success. Besides, a thorough research was needed to define the scope and the scenario for the digitalisation: what solutions the organisation could use and what vendors to hire.

An aspect that shouldn’t be unexpected, but still was exemplary of how digital technology permeates all aspects of the economy was how many different solutions for SMEs there are that implement diverse functionality starting with online e-commerce and payment integration up to stock management and financial reporting. Besides, there are numerous vendors offering their services for integrating these solutions in an existing enterprise.

Another objective was to perform security analysis of the enterprise both pre- and post-digitalisation. This required researching and comparing risk assessment frameworks, all of which have their own specifics and targets. In this case, I opted to use OCTAVE Allegro, which is specifically designed for SMEs and does not require the analysis team to have an extensive background in risk assessment nor takes a substantial amount of time to complete.

I found OCTAVE Allegro to be extremely useful, as it does not only guide the evaluation process but also provides a set of structured worksheets for each of the assessment steps. However, some of the parts of the assessment felt repetitive, as they required filling out the same worksheets with slight variations of similar data. In any case, work with a structured framework organised the extensive task of risk assessment quite efficiently, allowing to only focus on the currently relevant parts of the enterprise.

In conclusion, working on this assignment provided me with a number of insights and broadened my knowledge. At the same time, preparing the submission didn’t go as smoothly, as I felt the 600-words constraint did not allow to answer all questions from the assignment in sufficient detail. While I acknowledge the value in restricting the word count for submissions, I do not think 600 words is appropriate for this assignment.

Security standards exercise

Assignment

Review the following links/ websites and answer the questions below.

ICO. (2020) Guide to the General Data Protection Regulation (GDPR).

PCI Security Standards.org. (2020) Official PCI Security Standards Council Site - PCI Security Standards Overview.

HIPAA. (2020) HIPAA For Dummies – HIPAA Guide.

  • Which of the standards discussed in the sources above would apply to the organisation discussed in the assessment? For example, a company providing services to anyone living in Europe or a European-based company or public body would most likely be subject to GDPR. A company handling online payments would most likely need to meet PCI-DSS standards.
  • Evaluate the company against the appropriate standards and decide how would you check if standards were being met?
  • What would your recommendations be to meet those standards?
  • What assumptions have you made?

For the Pampered Pets, a brick-and-mortar shop specialising in pet food, not many standards apply, and whether they do depends on the type of the data the business processes.

In its original state, the shop does not process any online payments. However, as it is still possible to post orders online via email, GDPR would apply, as customers’ names and email addresses are personally identifiable information, as well as their orders information (‘Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation)’, 2016). More information is required to determine if further data processing regulations would apply to the non-digital version of the shop.

Post-digitalisation, however, it is likely that Pampered Pets will increase their reliance upon digital technology for accepting, processing, and dispatching orders, as well as for processing customer payments. In this case it increases the importance of proper GDPR implementation as well as requires that the business complies to the standards imposed by payment processing systems such as PCI DSS, whose function is to ensure the safety of online payments (Fruhlinger, 2024).

To determine whether the organisation complies with the relevant standards, the following steps can be implemented:

  1. Determine the scope and nature of data that the organisation processes.
  2. Investigate the flow of data: what media are the data stored on, who accesses them and why.
  3. Investigate how the data is protected: both physically and digitally.
  4. Identify weak spots in the discoveries from above and propose changes to improve compliance.

If a formal proof of compliance is required, it is advisable to hire a professional audit.

To be proactive in compliance with the standards, it is important to understand the underlying ideas that prompted their creation. For GDPR, the main focus lies in protecting individuals’ personal data from being collected, processed, and transferred for purposes unknown to the data subjects. In this case, there must be an added focus in developing systems and processes to implement proper data controls to monitor the flow of data and allow for their timely removal when they are no longer necessary.

References

Fruhlinger, J. (2024) ‘PCI DSS defined: Requirements, fines, and steps to compliance’, CSO Online, 3 April. Available at: https://www.csoonline.com/article/569591/pci-dss-explained-requirements-fines-and-steps-to-compliance.html (Accessed: 14 August 2025).

‘Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation)’ (2016). Official Journal of the European Union. Available at: http://data.europa.eu/eli/reg/2016/679/oj (Accessed: 19 January 2025).