A risk is the loss potential that exists as the result of threat and vulnerability pairs. Below is a list of a number of potential threat areas that need to be fully assessed at the beginning of any IT undertaking. A threat is “any force or phenomenon that could degrade the availability, integrity or confidentiality of an Information Systems resource, system or network. One definition is “any circumstance or event with the potential to cause harm to a system in the form of destruction, disclosure, modification of data, and/or denial of use.”
Assets At Risk
Facilities
Environmental risks cover things such as floods, lightening, earthquakes, tornadoes, There should be a local meteorological office that could provide information on this, but quite likely a large insurance company should be able to supply more information than you need as part of their policy pricing information. Additionally, consider flooding from such things fire main leaks, fire extinguisher sprays, fires, contamination, traffic coming through the front of the building or hitting power poles and even bombs – real or even threatened.
Equipment
Power surges can come over the power lines and damage the equipment, fire extinguishers and plumbing leaks which are very bad for electronics, some equipment may be dependent upon air conditioning and some may even “develop legs and walk away”! Additionally, care should be taken that equipment is not used for unauthorized purposes.
Software
Programming can be accidentally (or intentionally) modified or destroyed by programmers or even users. Interrupting the power to an operating system is one method by which the programs which are running may be corrupted. The backup process often has the ability to destroy programs as well as data if improperly used, such as if the “restore” capability is triggered improperly. There is also the risk when installing or upgrading programs that the new code is itself corrupted.
Records and files
How safe is the storage of the media? Could they become lost or damaged? Are they stored in a location where they may be considered “surplus” or “for general use”? If the media is lost or stolen, consider the impact of not only the missing media but the information on it.
Data and Information
This is where the risk of “crackers and hackers” may manifest themselves.
Information is something that can be copied or examined without the owner being any the wiser Information on disk may be copied, read or even erased from remote locations through network connections. The media – external copies, pages of printout, even the computer itself – may be subject to the possibility of damage, loss or theft.
Negotiable and other material
This area includes problems derived from unauthorized transactions being performed on the computer such as:
a. A retail location may find it has “sold” a thousand items and mailed them and have an invalid credit card number
b. Something that was sold in confidence becoming public knowledge
c. Something for which the customer is depending on gets “lost” in a fraudulent manner.
Another risk is if there are online control systems which may be corrupted. Power, lights, air conditioning and more are likely to be under computer control. Many sites have their internal control records maintained online. The transfer of items from one location inside the organization to another is recorded – or even ordered – through computer. This includes things like service orders. There is a possibility of these orders being corrupted, deleted or even falsified.
Mission
The threats to your organization are limited only by the risks the organization exposes itself to. The more an information system is used, the more vulnerable it becomes. There may be forged email, the legal record may become published in the local newspaper, competitors may find out proprietary information – the list goes on and on and can only be determined by the ones in the know: YOU.
Personnel
A brief talk with a local insurance company will reveal a multitude of risks: vital individuals may get hit by cars, an epidemic may run rampant across the secretarial pool or even the competitor may decide to pay more.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment