Risks and Potential Impact Relating to Security, Auditing and Disaster Recovery

Essay by mew001 August 2009

download word file, 2 pages 3.0

Introduction"Risks are the potential consequences of events or conditions that can adversely affect an organization's operations and revenues, as well as its relationships with communities, business partners, suppliers, and customers" (Erbschloe, 2003).

Executive SummaryThe organization selected for this paper is a Christian bookstore that sells books, CDs, DVDs, as well as miscellaneous items. Bookstore customers include walk-in's and organizations requiring larger orders. Contracts are made with some of these organizations due to the large volume of orders. Organizations include churches and the educational realm like private schools and home schoolers.

Store Location and DescriptionThe bookstore is located within 3 blocks of the river flowing through town and is inside a strip mall. This area is prone to flooding but also is in an area known as 'tornado alley.' The store has 1000 square feet and a selling space of 650 square, with approximately 2500 books on the shelves. Since the bookstore is located within a strip mall, only one wall is made of part glass and part brick.

Asset and Function WeightsThe weights listed below denote the importance of each asset or function to the organization. For this paper, it is understood the bookstore should have proper insurance coverages in place. Photographs of the interior and exterior will be on file with the insurance company and at an offsite location. System backups are also secured at an offsite location. Additionally, approaches to the elimination and minimization of the risks are suggested.

Risk rating is as follows: 5 - Very High Risk; 4 - High Risk; 3 - Medium Risk; 2 - Low Risk; 1 - Very Low RiskTABLE 1 - SECURITY RISK ASSESSMENTAssets &FunctionsWeightHuman ErrorViruses, WormsTheft of Property / InformationHackers Approaches forElimination and MinimizationServer0.55525Store in safe place, assign levels of employees, monitor.

Network0.52115Use firewall policy, set permissions, update regularly.

Internet / Intranet0.43513Use encryption, authentication, & transactional security; PolicyInformation / Data0.45555Label files, use passwords, lock room.

PCs / Laptops0.34555Use virus protection, lock room.

TABLE 2 - DISASTER RISK ASSESSMENTAssets & FunctionsWeightTornado Flood Earthquake Terrorist Attack Approaches forElimination and MinimizationEmployees0.53533Keep emergency kit, practice drills, make a plan to exit building, stay informed, provide physical & technical training.

Building0.44321Inspect interior & exterior. Trim limbs, clear loose objects, etc; Install sprinklers, shutters, fire proof storage.

Merchandise0.45421Inspect layout & rearrange items. Move merchandise to another location if time permits.

Communications0.34532Have wireless communication.

Estimates of Impact in terms of dollarsIn the case of a disaster, three kinds of costs are listed below: loss due to property damage, loss of sales and loss due to increased expenses.

TABLE 3 - EstimatesAssets &FunctionsWeightsImpact -Property DamageImpact - Lost SalesImpact - Increased ExpensesServer0.5$3,000N/A$2,500Network0.5$2,500N/A$1,200Employees0.5Worker's / Injury Comp $3,500 / dayN/AMerchandise0.4$100,000$400,000$415,000 replacements & shippingBuilding0.4$12,000$15,000$8,000 for suppliesInternet / Intranet0.4$1,20035%$750Information / Data (including fax)0.4$20,000 40%$100Communications0.3$750 maximum$150 / dayN/APCs / Laptops0.3$15,00020%$1,750ConclusionThe goal is to create a method for evaluating the relative risk of each of the listed vulnerabilities (Whitman, 2004). Risk controls use processes such as monitoring configuration, intrusion detection and audit trails to determine and deter violations in security policies and attempts to exploit assets and functions. After natural disasters, securing the building and contents inside should be the first order of business and bringing up the online systems as soon as possible should follow. After a hard-, software 'event', an analysis (possibly quick) of the damage should reveal the first steps to be taken in resolution. Backups may be used to replace lost or damaged files. Impacts to third parties should be kept as minimal as possible during the resolution.

BibliographyErbschloe, Michael, and John Vacca. Guide to Disaster Recovery. Cambridge: Course Technology, 2003.

Mattord, Herbert J., and Michael E. Whitman. Principles of Information Security, Third Edition. Cambridge: Course Technology, 2008.