A-1

nrvamcni143

Chapter07.pptx

Home >Computer Science homework help >A-1

Managing Risk in Information Systems

Lesson 7

Identifying Assets and Activities

to be Protected

www.jblearning.com

System Access and Availability

Goal: 99.999 percent up time

Failover cluster

RAID

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

Remember that Systems Availability deals with making a system available to the user when needed. There are a few situations where a system must be available 24 hours a day, 7 days a week, 365 days a year. 100% availability is impossible by a goal of 99.999% could be the goal. There can be no single-point-of-failure.

This diagram shows a failover cluster concept where duplicate systems (database and storage) are purchased and maintained so that any downtime to one allows the user to access the other. The VA Automation Center marketed a 99.9% goal to its customers and its infrastructure included multiple database servers and multiple data storage systems, providing the same concept as the RAID system shown in this diagram. By having more than 2 systems, any one could be taken offline and still maintain the Failover concept.

Since the VA Automation Center was a direct-bill facility, providing real-time service to all customers, any downtime resulted in a penalty that negatively affected actual revenue. In addition, downtime indirectly affected revenue when customers lost confidence in the agencies ability to provide services. Finally, VA employees accessed the system from across the county in different time zones and during various shifts and needed access 24 hours per day, 365 days per year.

System Functions: Manual and Automated

Manual

Written records

Knowledge of process

Automated

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

A reminder that assets can be hardware, software, information and services. When we talk about Manual services, we are talking about the written record – the information and services provided by a person. If walk up to the front counter of a bank, the clerk manually enters information for you. They have the knowledge of the process and work with the written record. There are multiple clerks who have been trained to provide service to you so the loss of one employee should not negatively impact the service to you nor should affect the quality of the transaction to the written record.

When you drive up to an ATM at the bank, you can perform most of the same transactions but because it is automated, the accuracy of the transaction should be more accurate – however, you, acting as the equivalent of the clerk may impact the transaction (are you new to this process or have you done this often).

When you are in the bank, the loan officer provides a different service. There are most likely less people who know how to be a loan office and understand all of its functions. The automated processes to obtain a loan still require the loan officer to make a decision. The ability for the customer to complete the majority of the loan documents online provides a better process and if the application is actually evaluated by the system, the automated process should be better.

Automated processes provide value to the customer as long as they are clear and efficient. They provide value to the company who can shift labor costs to other functions; They ensure services are available when needed by the customer – the ATM is available 24x7 with limited down-times. They ensure the data is protected because the processes minimize the need to expose Personally Identifiable Information (PII).

Hardware Assets

Computers: Servers, desktop PCs

Networking devices: Routers, switches

Network appliances: Firewalls, spam appliances

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

There are a number of hardware assets that need to be protected. Knowing where all these assets are located and characteristics of these assets is critical and making decisions about purchasing and upgrading these systems is essential to control costs and minimize risks.

As an example, when MAC systems were gaining popularity, the Army Recruiting Command limited the purchase of MAC systems to divisions that needed its unique visual presentation capabilities. This was done because attempting to manage the baseline of thousands of computers, used by tens of thousands of soldiers across the entire U.S., was a difficult issue. By limiting the MAC systems to a specific organizational element, it controlled their maintenance and upgrading requirements.

For another example, Microsoft XP was a successful product with limited issues and easy upgrade problems. When it was replaced by VISTA, there were a number of significant issues. Many companies refused to upgrade to VISTA and even forced Microsoft to delay XP’s termination date until it could provide a new product line, Windows 7, that did not expose the systems to unacceptable risks.

Hardware Assets (Cont.)

Information you need to know:

Location

Manufacturer

Model number

Hardware components, such as processor and random access memory (RAM)

Hardware peripherals, such as add-on network interface cards (NICs)

Basic Input/Output System (BIOS) version

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

Organizations need to track their entire hardware inventory using some type of database or spreadsheet. This is critical to determine where equipment is located, how it is protected, when it should be replaced and when it should be retired.

Inventory of assets should be conducted periodically to ensure equipment has not be moved, stolen or left unprotected. If equipment is lost, it should trigger an investigation that helps evaluate the risk management plan. If moved, it should also trigger an investigation that helps protect that equipment in its new environment.

Software Assets

Operating system and applications

OS specifics should include:

Hardware system where it’s installed

Name of the operating system

Latest service pack installed

Application specifics should include:

Name of the application

Version number

Service pack or update information if available

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

Although not tracked as frequently as hardware, software assets should also be identified and tracked. As an example, IT departments often create software images that contain all the authorized products in use by the company and these images are loaded to all the computers via the network. The authorized products must be documented and when new releases are available, a new image should be developed. Deployment of these new images however are often scheduled to minimize impact on the organization. In addition, when a division or department requires specialized software, these must be added to the image and controlled.

Automated Asset Management uses the power of the network to find and document all software loaded on each piece of equipment and help the IT department know if unauthorized software is present on the system. This protects the organization from law suites from vendors whose software is loaded unlawfully and used without permission.

Personnel Assets

The people working for you

When any function or process depends on a single person, he/she becomes a single point of failure

Reduce risk by:

Hiring additional personnel

Cross-training

Rotating jobs

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

As discussed earlier, it is also important to look at personnel assets to determine if there are risks associated with the loss of a key person in the organization.

If a function is only performed by a single person and that function is complex, the risk of loss can be mitigated by hiring additional personnel to learn and use the system. It does not mean this person has to work full-time at that position but needs enough experience to take over when a loss occurs. As an example, when we implemented our new enterprise student information system, experts from various areas were reassigned full-time to the 2 year project. Funds were included to back-fill these positions before the project started so that the new personnel could learn the system before the experts were reassigned. In addition, these experts could be called upon if needed to help the new staff understand a complex issue or solve a problem. The goal was that the new hires would be released at the end of the project but in fact, approximately ¼ of the experts quit or were hired by other agencies before the project was completed. Their back-fill were able to help finish the project and continue employment with the organization.

Another way to reduce risk is to cross train personnel so that multiple people become experts on a number of systems. Although these personnel may not have as much knowledge of individual systems as they would it they only specialized on one system, the risk of loss is not as great when someone else can take over.

Finally, you can reduce risk by rotating jobs. At some large data centers, their helpdesk is staffed by experts from other divisions. Experts are reassigned for as much as 3 months to work in the help desk. This provides the expertise needed in the help desk to quickly resolve issues and also allows the experts to learn about issues that customers are having and when they return to the normal duties, they are better aware of ways to help customers.

Data and Information Assets

Data protected by:

Access controls

Backups

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

As discussed earlier, data and information are also assets that must be protected and yet are often ignored until a threat causes loss. Consider how often we use our computers to accomplish our work but fail to backup the data and information once finished. Adequate backups are critical and when the backup process can be automated, then reliance on humans to do it manually reduces the risk. Think about the ability your computer has to automatically backup data – is it done automatically. Has someone in IT helped you with creating backups for your data. At the college where I work, all employees are given 500 mega-bytes of disk space on the network storage devices where we can backup our computer. Rarely is this storage used and, more important, rarely does IT provide instructions and reminders to use the storage. The space was provided to mitigate the risk but follow-up was never a priority.

As discussed earlier, we can use access control to limit unauthorized access to data. Access control can be automated, as in computer login processes or can be written policies such as locking documents in file cabinets or drawers; turning over documents when they are left on the desk to limit what can be seen or not leaving documents out when you leave your area. It is taking time to think about the risk and taking steps to mitigate it.

Data Classifications

Organization Classifications

Proprietary

Private

Public

Freely available

Protected Internally

Highest Level of Protection

Government

Top Secret

Secret

Confidential

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

We discussed earlier that data needs to be classified based on the impact of its loss. In the government, data is classified as Top Secret, Secret and Confidential. Organizations would classify it as Proprietary, Private and Public. Even public data must be protected from the wrong hands.

Data and Information Asset Categories

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

Organizational data includes employee data, billing and financial data, system configuration data (often stored in a database), system process data (that show how systems work) and vendor data

Customer data includes any information on the customer and the more information stored, the more valuable that information becomes and the more it must be protected. This is especially true if this data contains Personally Identifiable Information (PII).

Intellectual Property data is created by the organization or personnel within that organization to include inventions and literature/artwork. They may be Industrial property such as designs, trademarks, inventions and patents and Copyright materials.

Data Warehouses are used to large organizations to collect and store data across multiple functions and business elements. It is a snap-shot in time of what is going on within the organizations.

Data Mining is the sophisticated Business Intelligence process that allows organizations to use statistics to example data and predicting the future.

A new concept has emerged within the last few years called Big Data. This is a database system that contains so much data that it is hard to analyze. Imagine watching 10 TV stations at the same time to get the latest news. It would be overwhelming. Now imagine a station that has an audio feed with a scroll at the bottom that contains other types of news. This format has allows subscribers to capture information in multiple formats at the same time. Big Data analysts find ways to pull data from these large databases and make it meaningful to the manager and decision maker.

Organization

Customer

Intellectual property

Data warehousing

Data mining

Asset and Inventory Management Within the Seven Domains of a Typical IT Infrastructure

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

At this point, we need to differentiate between an Inventory Management system and an Asset Management system.

Inventory management is for hardware assets – where are they located, what model of hardware, what serial number. This is a basic system that can be maintained via a spreadsheet. At our college, we use it to periodically verify that all the equipment is still present and help us decide when to buy new equipment or salvage old equipment.

Asset management includes all types of assets and often require the use of a database system. As an example, at the university in south Texas, all the software assets were tracked to include the annual maintenance contract costs. When we purchased our new enterprise system we used the Asset Management system to discover that we already had a contract for the Oracle database system and by modifying the existing contract, was able to save hundreds of thousands of dollars in purchase and maintenance costs.

Inventory management

Used to manage hardware inventories

Asset management

Used to manage all types of assets; much more detailed data than an inventory management system

Seven Domains of a Typical IT Infrastructure

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

Figure 4-1: The seven domains of a typical IT infrastructure.

User domain

Includes usernames, passwords, biometric or other authentication that protects data from

unauthorized access.

Workstation Domain

Includes end user systems, laptops, desk tops, and cells phones which must be protected from

Theft and tracked via an automated asset management system to ensure updates are applied.

LAN Domain

Includes equipment required to create an internal LAN, such as hubs, switches, and media and must be maintained in an asset management system that captures current configurations.

LAN-WAN Domain

Includes the transition area between the LAN and the WAN, including the router and firewall and must be maintained in an asset management system that captures hardware information and current configurations

WAN Domain

Includes routers and circuits connecting the wide area network and maintained similar to the LAN-WAN domain.

System/Application Domain

Includes applications you run on your network, such as e-mail, database and Web applications and maintained similar to the LAN-WAN domain.

Remote Access Domain

How remote or traveling users use your network, as in a Virtual Private Network (VPN). This includes both information on Modems and other telecommunications equipment

Identifying Facilities and Supplies Needed to Maintain Business Operations

Identifying mission-critical systems and applications

Business impact analysis planning

Business continuity planning

Disaster recovery planning

Business liability insurance planning

Asset replacement insurance planning

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

A mission critical system must continue to run to ensure the business survives.

The Business Impact Analysis (BIA) looks at the impact of the loss of a business function as either Direct or Indirect costs. The BIA is similar to a Risk Management and Risk Assessment plan in that it has a scope and objectives – what is the direct and indirect impact of the loss and how much would it cost over a period of time. The BIA separates the critical functions from the non-critical functions and finally maps the business functions and process to the actual systems in use.

Business Continuity Planning (BCP) helps plan for a disaster or emergency. It ensures critical operations continue to function and includes procedures and instructions used to restore operations in the event of a disaster. Typically the BIA and BCP are done in conjunction with each other. There are 3 phases in the BCP: the Notification/Activation phase responds to the emergency and takes steps to continue operations; the Recovery phase assesses damages and restores the systems to full operations, starting with the mission-critical systems; the Reconstitution phase when the organizations returns to full function.

The Disaster Recovery Plan provides details to recover a system after a disaster. It is part of the BCP. The BCP describes how processes will be sustained while the DRP describes how to recover systems, at an alternate facility, when there is a failure. The BCP identifies critical systems and acceptable downtimes. It includes both the BIA and DRP.

Business Liability insurance includes general insurance that protects against injury and property damages; professional insurance that protects against malpractice, errors or negligence caused by employees; and Product insurance that protects against injury caused when using the product.

Asset replacement insurance helps replace assets when they are destroyed.

Summary

Identification of key activities

Identification of key assets

Recognize value of data

Basic planning steps of a BIA

Page ‹#›

Managing Risk in Information Systems