IT Risk Assessment Example
The below information is an example of of a risk assessment report using a fictional company:
Physical security risks are a big risk when considering the security of the Rapid Data Service building. Here are a few factors I found when looking at the layout and procedures that they have put in place.
• Security Camera’s – There is only one security camera within the whole building that is situated in the reception area and not monitoring any other area of the building. If there is no staff situated in any other area of the building then it means that these areas are not being monitored and protected.
• Fire Exit – There is only one fire exit that is situated at the back of the building and this is unalarmed so it will not make any of the staff aware if someone was to open the door and walk around the building. The fact that it is also situated at the back, it is also near the server racks which contain and store lots of personal data and information.
• Open Doors – There has been no security procedure put in place for the doors fitted so anyone is able to open and roam the building freely. Furthermore, once passing the main entrance and reception, people are able to walk between rooms without anyone being aware and they would also be able to have access to the server racks without anyone being aware.
• Entry Point – There is only one entry point for both the mains and Internet link. If someone was to damage one of these lines or there was to be a fault, then the whole internet system and electricity would be down until it was fixed. This would result in downtime for the business.
• Motion detectors – There are no motion detectors situated throughout the building to let members of staff aware if someone was in one of the rooms in which the servers are kept. Furthermore, they would also be useful to make members of staff aware if a colleague was in a room that they did not have authority to be in.
Risks to electronic communication:
• Email – There is no physical security to protect the data that is stored in the server racks but also no sign of a back-up system. This means that if people were to gain access to the building they would be able to gain information such as emails of members of staff, content of these emails, addresses and occasionally personal information.
• Wifi – In the Rapid Data Services building they only have one Internet link and one service entry point. There is no obvious sign of security as it appears easily accessible. Furthermore, if there is only one link and this fails then members of staff within this building are unable to connect to the wireless internet connection. Also, if someone was to gain access on the network, this could cause major disruption and potential loss or disruption to people’s data.
Other risks to their network, data and associated ICT equipment:
• One line for mains and internet – There is only one line that goes in to the building that is relied on for providing mains electric and the internet. If these are interfered with then it can cause problem with the electric but also the internet connection. There is no sign of physical security to prevent people from physically removing or damaging the cables but also no apparent protection to stop someone from logging on to their network and making changes to it that could have an impact on other users also linked to the network.
• Back Up – There is no obvious sign of a back-up system in place. If something was to happen to their data or it was damaged even if it the circumstances were unintentional, there would be no way to restore the information they previously had.
Types of data that may be targeted or at risk from hackers and others:
Rapid Data Services provide a wide variety of services such as back up and data storage facilities. They also host websites for their customers and store servers for their clients. Many of their customers are banking and financial companies and they process thousands of transactions each and every day. With this kind of business there is lots of private and confidential information stored about people and companies. The fact that most of their clients are from bank companies suggests that they store information about cards and other details such as addresses.
• Credit Cards – In this particular type of building there may be crucial information stored about customers such as their credit card information in order for them to pay for the service and to complete transactions.
• Transactions – They possibly would be able to gain details on the transactions that have been made to and from the company. Information such as time, date, value and the client’s personal information would be accessible.
• Bank Account – Additional information could be found about their bank accounts after providing their card details such as their full name, address and other personal information that they may hold.
• Identity Theft – Other information such as addresses, contact numbers and names are typically stored when you’re a customer. This can be easily found and can result in identity theft as they would know everything about the person in order for them to replicate the identity and send messages etc.
• Company Data – Information about the company would also be stored on their systems, if someone was to gain access to this, they would have crucial information about the company, how it functions and information about their employees and customers.
The various motivations of the people who may attempt to attack Rapid Data Services Limited’s network or facilities:
Majority of the time, crimes are committed when the person enjoys doing it. However, there are other motivations or reasons behind why someone would commit a crime. The reasons are:
• Money – The most common motivation for someone to do something unauthorised or untoward is for them to gain something from it by doing so, such as money or an alternative kind of payment. If they feel they are going to gain from it at the end, they are more likely to do something wrong even if it puts them at risk of getting in trouble.
• Blackmail – Occasionally, it can be the case that someone is blackmailed in to doing something because they fear something or someone and feel they have to do it to please them. So although they may not actually want to steal any data, they are doing it because they are getting blackmailed to do it.
• Peer Group – Another reason that some people may become motivated to attempt to attack Rapid Data Services is by being peer pressured in to doing it. If there are others surrounding you that suggest you do it, you feel that you do not want to let them down and somewhat want to impress them and therefore result in doing it.
The various methods these people may employ to access the data and the ICT networks of Rapid Data Services Limited:
These methods are some of the ways in which they would use the computer in order to gain access to private and confidential information. These methods are:
• Keylogger – This is a program that records the keys that are pressed by a user and recognises the pattern. Typically, the user is not aware of this and it is installed by the hacker so they can monitor what the user is typing and is also able to gain personal information such as the sequence of an email or a password.
• Dictionary Attack – This is similar to Brute Force in the fact that in generates thousands of codes. This is purposely for the decryption key in order to gain access to an administrative role.
• Brute Force – This method is used by generating thousands of codes in hope that it matches one of the passcodes that have been created and entered on your computer. This is one way of getting passwords to get on to systems but this also gains access to other private and confidential information that was previously password protected.
• Social Engineering – This is a method in which hackers will manipulate people in to providing private and confidential information about them. They often find out some information about one person and will use social media which provides them with additional information about a person.
Recommendations for Rapid Data Services Limited for the design and build of their new data centre
Recommendations for physical security of key ICT equipment:
By following these recommendations it will make the building more secure physically and less likely liable for information to be stolen or as accessible when members of staff are not aware.
• Lock and Alarm fire door – You should ensure that the fire exit has the right locks/bolts so that it is safe but easily unlocked in the case of an emergency. A sufficient alarm should be fitted to the door so that when the door is opened it makes the members of staff aware that the door has been opened in case someone was to try and gain access to the building from the back.
• More Security Camera’s – There is only currently one security camera in reception and it is not set at an angle that you are able to monitor the people that walk in and out of the building. You should ensure that you have a sufficient amount of cameras covering every area that people are able to walk in to the building and in every room to ensure that if people were to go in to the room and do anything untoward that it would be recorded on CCTV.
• Motion Detectors – Motion detectors are very useful as it is physically impossible to cover every area of the building with CCTV cameras. You could place motion detectors in places that CCTV cameras were unable to see or in areas that people that are not authorised to go as it can alarm and make members of staff aware if someone was to enter by detecting their motion in the room.
• Power – Having an alternative or back-up of a power line/cable would be recommended so that if someone was to tamper with the cable or there was a fault with it, then they would still be able to provide power to the building using the back-up power supply.
• Internet – This is similar to the power supply cable. It is suggested that you have a back-up or alternative cable that you are able to use if there was a fault with the internet or if someone was to tamper with the device. This way if it fails, you still have a back-up that you can run from and users would still be able to gain access to the network.
• Layout – Layout is an important factor, especially for Rapid Data Services. I would consider changing the layout to have the server racks more visible and paths to these more open so that members of staff are able to monitor and have more control and be aware of the people that are at the back of the building and if so, what they are doing in this area of the building.
Recommendations for the security of electronic communications, with an explanation justifying each recommendation:
• Anti – Virus – It is strongly recommended that you have a form of anti-virus on the machines that your employees work on to prevent the information that is stored on the machines from being used. The software scans your computer and anything that is sent to you such as email attachments and when you download files from the internet and if it finds a virus or something that can cause potential damage to either your data or computer, it blocks it from downloading or opening.
• Firewall – The purpose of a firewall is to stop information and data from coming in and going from the computer that it is set up on. It does this by blocking ports. By blocking ports, it prevents unwanted data from entering and important confidential information from leaving your computer.
• Encryption – Having encryption provides a layer of protection to your network when you’re sending and receiving data to and from people. This works by transforming the data in to a form of code when it is sent from one device to the other and is only readable or accessible to those that are authorised to have access to it.
• Back – Up – A back-up is strongly recommended because whether you lose data unintentionally or intentionally then you will always have a copy of the original data. If someone was to have damaged your data or edited it, then by looking on the back up, you will know what they have changed or removed.
• Spam Filter – Using a spam filter on your email is a good precaution to take as it prevents users with unknown email addresses or addresses that the programme thinks may be junk or cause harm to your computer, it filters it in to one folder so the user pays more attention when opening information from this section.
Recommendations for securing key ICT equipment and data from ‘attack’, both internal and external, with an explanation justifying each recommendation:
• Back – Up – Having a back-up of your data is vital and important for the security of your information. If someone was to damage your data or change it, you would be able to tell what had been changed or removed by referring to your back-up.
• DOS Attack prevention – In the firewall application you are able to set a rule so that if there are lots of incoming requests at one time, you can ask it for a caption. They have to enter this in order for this process to work correctly and if this is spam or unwanted data then they would not know the caption that has been set, which would result in the data not being allowed on the computer.
• Password Policy – Passwords are one of the most common methods of keeping your devices secure. The longer and more complex the password is, the harder it is for others to guess and therefore hack on to your system and be able to access your data/information.
• Encryption – Having encryption on a network is also very useful as it protects this information and makes it unreadable to people that try to gain access to it that do not have authority to do so.
• Internet and power line – To have an additional internet and power line it provides the business with a back-up if there was anything to happen to the main internet and power line.
• Authentication – Having a form of authentication on your computer is an additional security feature. This normally is a window that gets you to enter the administrator username and password to verify that you are an administrative user and are meant to have access to this function or information.
A list of six key personnel required for a Computer Incident Response Team (CIRT), with a description of each of their likely responsibilities:
• IT Security Expert – They are responsible for the electronic security of each device. For example: the firewall settings, whether the machine has anti-virus on it and whether the data is being backed up.
• Physical Security Expert – Physical security is the security surrounding the devices. This is how secure the area is and how accessible the devices are. Physical security procedures you can put in place are: motion detectors, security cameras and locks around each device.
• Financial Department (Audit) – This department are responsible for the finances spent on the devices initially and on parts when having to replace them. They also calculate the cost for the security of the devices.
• Human Resources – There is a human resources department in almost every business. They are responsible for the data of all of the employees within the company.
• Managers – The manager of the business is in control of every other department in that section. They manage other departments assessing and evaluating their colleagues and also manage projects to ensure that work gets completed by a deadline.
• IT Audits – IT Audits are used within a business and are applicable especially in the case of an IT incident as they keep record of everything that has happened with regards to a particular device or situation.
Likely impacts to the business if the recommendations are not accepted and implemented:
• Loss of Reputation – If the recommendations have not been considered and applied in some cases, if data or information was to be taken or damaged then it could have a major impact on the reputation of the company. Clients and customers would not want to give their information over to a company that put their data at risk.
• Downtime – Another factor to consider if an incident was to happen where data and information was changed or damaged is the amount of downtime that the business would have trying to recover and repair the information again.
• Loss of Profit – If an incident was to happen where the business was to lose their customers data, not only would they lose reputation but potentially profit as well because a customer is not going to want to pay them for a service if it is going to be unreliable or harmful to your data.