| Poor System Administration Practices |
This risk deals with the lack of proper system administrative practices or the lack of systems administrative processes. Clearly System administration processes will vary from department to department, yet strong written practices are encouraged. Common areas of attention might include: security audits, backup procedures, management procedures, system configuration and training.
|
| Lack of Sufficient Operational Policies |
Departments should have written policies associated with key functions and business continuance. This item also includes the enforcement of policies, such as security policies that can impact each department, having the necessary system administration in place to ensure environment (including controls for system/program modifications, and any fiscal constraints, primarily budget, that might hinder the specific environment. |
| Poor Physical Security |
This risk deals with physical access controls. Sufficient measures need to be in place to ensure security within a department or operating unit. Ensuring it is difficult for someone to get access to sensitive data, communications facilities, critical hardware, equipment, software, staff valuables and other facilities is essential. This area also includes acts of vandalism, threats and sabotage. |
| System Compromises |
This risk deals with a department having poor or inadequate controls on machines. Departments should have strong systems in place to address such things as access security on machines (including unauthorized access), scanning for viruses, procedures for unattended machines, and assessing the probability of hackers. The dependency on specific vendors and that implication should also be considered. |
| Key Person Dependency |
This risk addresses management or critical skills loss. Reliance on one person to maintain a key function, such as networks, computer facilities, for example, can severely compromise the day-to-day operations if a problem occurs. Having the necessary support structure with backup personnel is important. |
| Loss of Critical Document Data or Software |
This risk deals with the inability to reproduce via file restoration a critical or vital document, database or application. It is essential that good backups exist to protect against such an occurrence. |
| Data Disclosure |
The issue of how sensitive data is stored is an issue. The ease that someone might have accessing or altering is critical because it can be damaging to a person or the institution. |
| Environmental |
This risk is the impact of temporary failures, both planned and unplanned, of air conditioning and/or power. Such instances are very real, although often of short duration, they will obstruct your ability to provide services. They could also result from construction or remodeling in your area or building. |
| Functional Lockout |
This risk represents the inability to use your facilities and processes due to indirect issues not under your own control. Examples are unscheduled power outages, terrorist situations, police actions, bomb threats, asbestos quarantine, gas leaks, medical issues which all might occur elsewhere but effect your ability to get to your own area, cause you to evacuate your area, etc. |
| Natural Disasters |
This risk is countered by having contingency planning and preparedness. The risk is a unknown level of damage and disruption to your environment due to natural disasters, such as, lightning, tornadoes, hurricane, severe storms, etc. There should be concerns about fire, fire with equipment loss, fire with facility damage, power outages, and other disruptions, including functional loss and the inability to get staffing in the workplace. In this instance of natural disasters, there needs to be sufficient pre-planning and backup of data to ensure business continuance. |
| Equipment Loss |
This risk deals with the loss of a critical function due to a hardware failure. Such failing equipment could be communications equipment to support phones and/or data. |
| Single Point of Failure |
This risk is associated with key hardware dependency with a particular piece of equipment supporting a key function. Such a risk is best countered by the presence of redundant hardware, strong service contracts, etc. |
| Poor Password Practices |
It is important to maintain good password practices. Passwords are like lock combinations - easily guessed passwords allow anyone to use a personal computer for illegal purposes. How are they assigned? Is there any enforcement? Are they checked in any manner? |
| Clear Text Transmission of Critical Data |
Applications must be aware that any network data may be intercepted, altered, or forged. There needs to be appropriate encryption steps taken to protect critical data. |
| Spoofing |
This risk deals with the act of forging a machine's or individual's identity, or using other techniques to attempt illegal access to a system. |