Technology Risks

System Administration Practices

System administration practices certainly vary, but common practices might be: security audits, backup procedures, management procedures, system configurations, and training.

Client System Access Control

Access security on client machines (including unauthorized access), scanning for viruses, procedures for unattended machines, and assessing the probability of hackers are all included in this area.  The dependency on specific vendors and that implication should also be considered

Operational Policies

Key Person Dependency

Relying on one person to maintain networks, computer facilities and such can severely compromise the day-to-day operations if problems occur.  Having the necessary support structure with backup personnel is important.

Passwords

Passwords are like lock combinations – easily guessed passwords allow anyone to use a personal computer for illegal purposes.  How are they assigned, is there any enforcement, are they checked in any manner?

Data Exposure/Loss

The issue of how sensitive data is stored is an issue. The ease that someone might have in accessing or altering is critical because it can be damaging to a person or the institution.

Physical Security (internal)

Sufficient measures need to be in place to ensure security within a department (or operating unit).  Ensuring it is difficult for someone to get access to sensitive data, communications facilities, critical hardware/software, and other facilities is essential.

Cleartext

Applications must be aware that any network data may be intercepted, altered, or forged and there needs to be appropriate authentication steps.

Physical Security (external)

In many cases there may be operating facilities that are located in locations other than the main area (for example, labs, support desks, and so on).  Physical security for these assets is also an important part of the overall program and reflect a risk to operations.

Spoofing

This could be the act of forging a machine’s identify, or using other techniques to attempt illegal access to a system.

Natural Disaster

Natural disasters such as lightning or a tornado could cause serious problems in operations.  There should also be concerns about fire, power outages, and other disruptions that can limit (or halt) operations.

Construction

Construction problems can disrupt or destroy equipment, and there needs to be sufficient backup and planning to carry on business.

Software Defects

Unintentional defects in software received from vendors.

Denial of Service

An attack intended to consume some resource required to provide a service.  This could be disk space, network bandwidth, CPU capacity, etc.

Customer Data Loss

Loss of data due to hardware failure, theft of data, or perhaps not having sufficient backups.  This also would include loss of data because of unintentional exposures through a system failure or action by employee

Hardware Failure/Service Loss

Loss of service due to hardware failure or loss.

Malware

Malicious code. Software designed to disrupt service, that is, viruses, Trojans, worms, back doors.

Misappropriation

Use of computer resources for unauthorized activities, that is, distribution of copyrighted materials, denial of service attacks.

Man in the Middle

Intrusion of a hostile third party into a network connection.  The third party may just observe, or may attempt to alter data.

Address Spoofing

Escalation of privileges by using a network trust or authorization based on address.

Unavailability of Key Personnel

Unavailability of key personnel due to disaster, job action, widespread illness, etc.

Former Employees

Intentional actions by former employees using knowledge gained while an employee.

Social Engineering

Use of trickery to gain access or information.  Social engineering usually involves gaining small amounts of information from a large number of people by using information obtained to establish credibility as computer support or other personnel.

Civil Disturbance

Riots, protests, etc.  Activities that involve large numbers of people and which may disrupt the normal availability of fire, police, and EMS services or make travel difficult.

Contamination

Smoke, biological or chemical agents, asbestos.  These hazards can render an area unsuitable for human access or require special procedures for access.  Equipment may remain operational and the facility may be usable after cleanup.

Structural Damage

Damage that renders a location unsuitable for human occupancy.  This could be the result of a vehicle crash, severe weather, physical damage, etc.

Utilities

Loss of utilities other than power, that is, water and/or natural gas.

Software Updates

Failure to keep computers up-to-date with an operating system, antivirus software, or firewall.

Personnel

Not having sufficient personnel to support the hardware and software, and not having personnel with the proper training.

Physical Security

Anything from building security, to room security, to the general access to computers that might contact sensitive data.  Equipment may be physically damaged or stolen, and data stolen.

Sharing Account Access

Sharing passwords with colleagues/students to allow for multiple access to systems that contact sensitive data.

Loss of Network Connectivity

Losing access to electronic mail, calendaring functions, and critical data.

Vendor Software

Vendors often provide products that are vulnerable to attack, and are not timely in publishing patches to prevent attackers from compromising systems.

Loss of Outsourced Services

Risks of losing access to systems and services hosted by another organization for an unacceptable period of time.

Virus Infection

Users open attachments from unknown sources due to ignorance or falling victim to social engineering, or failure to install antivirus software and keep definitions updated.

Lack of Funds

Not having sufficient funds in the department to secure the necessary hardware/software to provide an acceptable level of security.  This also can contribute to not being able to replace obsolete equipment that could be vulnerable.