“One of the most important assets any organization possesses is its data. Although the data itself varies among organizations and economic sectors—a research hospital’s important data may be data collected in the latest clinical trial while a magazine’s is a list of its current subscribers—it is the lifeblood of an organization. Without data, organizations could not function”. Data risk management is the audit of a computer or network to access what vulnerabilities are discovered and taking steps to manage loss.
Risk Management Steps
Many organizations do not address the risks associated with the data it owns nor does it feel a need to safeguard it, and its importance is undervalued. An organization’s information is as valuable as its other possessions such as personnel, finances and property. There are steps to take when assessing risks to a computer or network. The steps involved focus on the identification of assets and threats, vulnerability appraisals, risk assessments and the mitigation of that risk. Risk management is a process to determine the potential for loss as it relates to threat factors such as equipment failures, physical catastrophe and criminal attacks. As an example of a limited risk management assessment study performed on this personal computer (PC), the writer will begin with a determination of the assets involved.
The assets of a large, enterprise organization can comprise such factors as buildings, personnel, software, hardware and, of course, the data. On a small scale for an end user such as myself, the assets would consist of the PC hardware used, the software, operating system (OS), networks accessed, the data I create and myself. Without me, these colorful and entertaining essays would not come to light.
My hardware asset is identified by items including the manufacturer, model, type, serial number, location and computer addresses, such as Internet Protocol (IP) or Media Access Control (MAC) and any other distinctive information known to identify the hardware.
Shown in the table below is an example of my hardware asset assessment.
Table 1. Hardware asset identification
Manufacturer Model Type Serial Location MAC
Apple MacBook Pro Portable W891012571A Home 00:23:6c:96:1c:10
The next step would be to identify threats from various threat “agents”. These agents can consist of factors including, but not limited to theft, OS failure, vandalism, compromised systems, sabotage, human error and natural disaster. These agents are among a handful of the factors that can be identified.
Shown in the table below is an example of my theft agents identified.
Table 2. Threat identification
Theft OS Failure Compromised System Dropped Portable Computer Software Attacks Hardware Failure
Step three would entail a vulnerability appraisal to determine what security threat weaknesses may show. This will result in a glimpse of the state of security for an organization. Each asset will be examined for incorrect configurations, improper hardware settings or lack of wireless security such as Wi-Fi Protected Access 2 (WPA2). I believe I have at a previous time addressed any vulnerability in the past as my computer is well protected. I will go into more detail later in Risk Mitigation.
Step four would comprise a risk assessment involving the determination of the damage that is possible from an attack and what the risk to the organization is of that vulnerability. Determining the risk requires a genuine assessment of different types of vulnerabilities or attacks that may arise. These risks are ranked and ranged from minor to catastrophic events.
Shown in the table below is an example of my risk assessment.
Table 3. Risk Assessment
No Impact Small Impact Significant Major Catastrophic
Misplaced Mouse or Charge Cord Malfunctioning or
Cyber Enslaved Stolen
Dropped and/or Fire Damaged
Finally, when the identification, appraisal and assessments are complete, a determination needs to be made about what should be done about it. Accept the risks for what they are or take steps to minimize those risks?
Fortunately, I use WPA2 protected encryption on my wireless access point (AP).
I also have a personal firewall configured to protect my system from attackers by preventing unauthorized applications, programs and services from accepting incoming connections without my knowledge. I have even enabled “Stealth Mode” which directs my computer to not respond or acknowledge attempts to access my computer. This will effectively ignore applications that are able to ping or scan the computer. Physically, I keep my portable computer hidden when
I leave the house. When travelling, I am weary of leaving my computer bag unattended, and
I ensure that I have it with me at all times. I also have a feature installed on my portable called “Find My Mac” where the computer can be tracked via the global positioning system (GPS).
If stolen, I would have the option of remotely locking the computer and also remotely wiping
out its hard drive even if there is no user logged in.
I did not reveal any major vulnerability at the conclusion of my limited, personal computer risk management study. “Risk management is the process of minimizing or mitigating the risk. It starts with the identification and evaluation of risk followed by optimal use of resources to monitor and minimize the same” (ManagementStudyGuide.com, 2012). The feeling of risk an organization experiences is from its insecurity of vulnerabilities it identifies. By taking steps to identify the vulnerabilities, assess the risk and create a plan to mitigate the risk, an organization can protect itself from loss.