Information Technology Risk
An important step in the risk assessment process is identifying the risks that might occur within your department. A risk can be selected because is might cause an incident that could:
- Result in the loss of a critical service
- Result in the loss of sensitive data or perhaps data critical to the department
- Have a high probability of occurring
- Result in negative publicity
- Be extremely expensive to correct
The lists of risks that are provided below are those that have been identified by security professionals and departments at Virginia Tech. These can be selected for your risk assessment in a manner that will best represent what might occur within the department, and can be prioritized to identify the ones most likely to occur.
System Administration Practices |
System administration practices certainly vary, but common practices might be: security audits, backup procedures, management procedures, system configurations, and training. |
Client System Access Control |
Access security on client machines (including unauthorized access), scanning for viruses, procedures for unattended machines, and assessing the probability of hackers are all included in this area. The dependency on specific vendors and that implication should also be considered |
Operational Policies |
Includes the enforcement of security policies that can impact each department, having the necessary system administration in place to ensure a secure environment (this includes controls for system/program modifications, and any fiscal constraints (primarily budget) that might hinder the specific environment. |
Key Person Dependency |
Relying on one person to maintain networks, computer facilities and such can severely compromise the day-to-day operations if problems occur. Having the necessary support structure with backup personnel is important. |
Passwords |
Passwords are like lock combinations – easily guessed passwords allow anyone to use a personal computer for illegal purposes. How are they assigned, is there any enforcement, are they checked in any manner? |
Data Exposure/Loss |
The issue of how sensitive data is stored is an issue. The ease that someone might have in accessing or altering is critical because it can be damaging to a person or the institution. |
Physical Security (internal) |
Sufficient measures need to be in place to ensure security within a department (or operating unit). Ensuring it is difficult for someone to get access to sensitive data, communications facilities, critical hardware/software, and other facilities is essential. |
Cleartext |
Applications must be aware that any network data may be intercepted, altered, or forged and there needs to be appropriate authentication steps. |
Physical Security (external) |
In many cases there may be operating facilities that are located in locations other than the main area (for example, labs, support desks, and so on). Physical security for these assets is also an important part of the overall program and reflect a risk to operations. |
Spoofing |
This could be the act of forging a machine’s identify, or using other techniques to attempt illegal access to a system. |
Natural Disaster |
Natural disasters such as lightning or a tornado could cause serious problems in operations. There should also be concerns about fire, power outages, and other disruptions that can limit (or halt) operations. |
Construction |
Construction problems can disrupt or destroy equipment, and there needs to be sufficient backup and planning to carry on business. |
It is not uncommon for departments to specify “more specific risks” to better pinpoint actions that need to be taken to correct. Listed below are some of these more specific risks that were taken from risk assessments submitted by departments to the IT Security Office during the last cycle.
Software Defects |
Unintentional defects in software received from vendors. |
Denial of Service |
An attack intended to consume some resource required to provide a service. This could be disk space, network bandwidth, CPU capacity, etc. |
Customer Data Loss |
Loss of data due to hardware failure, theft of data, or perhaps not having sufficient backups. This also would include loss of data because of unintentional exposures through a system failure or action by employee |
Hardware Failure/Service Loss |
Loss of service due to hardware failure or loss. |
Malware |
Malicious code. Software designed to disrupt service, that is, viruses, Trojans, worms, back doors. |
Misappropriation |
Use of computer resources for unauthorized activities, that is, distribution of copyrighted materials, denial of service attacks. |
Man in the Middle |
Intrusion of a hostile third party into a network connection. The third party may just observe, or may attempt to alter data. |
Address Spoofing |
Escalation of privileges by using a network trust or authorization based on address. |
Unavailability of Key Personnel |
Unavailability of key personnel due to disaster, job action, widespread illness, etc. |
Former Employees |
Intentional actions by former employees using knowledge gained while an employee. |
Social Engineering |
Use of trickery to gain access or information. Social engineering usually involves gaining small amounts of information from a large number of people by using information obtained to establish credibility as computer support or other personnel. |
Civil Disturbance |
Riots, protests, etc. Activities that involve large numbers of people and which may disrupt the normal availability of fire, police, and EMS services or make travel difficult. |
Contamination |
Smoke, biological or chemical agents, asbestos. These hazards can render an area unsuitable for human access or require special procedures for access. Equipment may remain operational and the facility may be usable after cleanup. |
Structural Damage |
Damage that renders a location unsuitable for human occupancy. This could be the result of a vehicle crash, severe weather, physical damage, etc. |
Utilities |
Loss of utilities other than power, that is, water and/or natural gas. |
Software Updates |
Failure to keep computers up-to-date with an operating system, antivirus software, or firewall. |
Personnel |
Not having sufficient personnel to support the hardware and software, and not having personnel with the proper training. |
Physical Security |
Anything from building security, to room security, to the general access to computers that might contact sensitive data. Equipment may be physically damaged or stolen, and data stolen. |
Sharing Account Access |
Sharing passwords with colleagues/students to allow for multiple access to systems that contact sensitive data. |
Loss of Network Connectivity |
Losing access to electronic mail, calendaring functions, and critical data. |
Vendor Software |
Vendors often provide products that are vulnerable to attack, and are not timely in publishing patches to prevent attackers from compromising systems. |
Loss of Outsourced Services |
Risks of losing access to systems and services hosted by another organization for an unacceptable period of time. |
Virus Infection |
Users open attachments from unknown sources due to ignorance or falling victim to social engineering, or failure to install antivirus software and keep definitions updated. |
Lack of Funds |
Not having sufficient funds in the department to secure the necessary hardware/software to provide an acceptable level of security. This also can contribute to not being able to replace obsolete equipment that could be vulnerable. |
Another set of risks that can be referenced for the assessment is the one provided by the SANS Institute. The SANS/FBI Tope 20 vulnerabilities are prepared and updated regularly to reflect those risks that have a high probability of occurring and could result in the loss of a critical service or data. This list can be found at the following location:
One might also find the link http://www.sans.org/resources/10_security_trends.pdf helpful as it provides trends that will impact security threats.