McBride Financial Services is a virtual organization at University of Phoenix that provides mortgage services for its members. McBride has as its stated goal to be a "preeminent provider of low cost mortgage services using state-of-the-art technology in the five state areas of Idaho, Montana, Wyoming, North Dakota, South Dakota." McBride provides serves for three primary groups of mortgage seekers: professionals purchasing a primary or secondary residence, retirees purchasing a primary or secondary residence, and families and/or individuals purchasing recreational properties. The goal of the company is to provide mortgage services at a fixed low rate of $1500 to approved applicants. In order to be able to optimally provide these services, it is necessary to calculate the organization risks and develop a plan to mitigate the risks. The risk assessment will identify the approaches to be implemented for elimination of avoidable risks and the minimization of the risks that are unavoidable. The discussions following will limit the risk assessment to IT related issues: security, auditing and disaster recovery. Risk assessment is determining two quantities of the risk, the magnitude of the potential loss and the probability that the loss will occur. Risk assessment then is a step in the risk management process, http://en.wikipedia.org/wiki/Risk_Assessment. An organization has to have policies in place to identify and manage risks. Oldfield and Santomero (n.d.) developed the following guidelines to successfully implement the risk management policy set up by the business:
It has to be integral to the firm's business plan.
It has to define a measure of risks in each business consistently across the firm.
Initiate procedures for risk managing at the point nearest to the assumption of risk.
Develop databases and measurement systems in accord with business practices.
Install comprehensive risk management system to evaluate individual, business, and firm level performance. Therefore, a Risk Assessment and Management project team must be formed to conduct a thorough analysis of the system and provide recommendations and policies to deal with disaster. At McBride, the design of the system network will affect security, auditing and disaster recovery, therefore a comprehensive analysis of the network design, security and disaster recovery will go a long way to mitigate against possible risks.
Disasters, Backup and Recovery Plan
McBride has to have data based on analysis of risk factors based on their likelihood and progressive nature of occurrence available to develop the backup and recovery plans. This data may be used to develop effective and balanced measures for loss prevention, mitigation, and recovery. Disasters can be classified into three broad categories:
Technical Disasters: Equipment Failure, Database Service Failure, Software Failure, Loss of Power, Loss of A/C.
Natural Disasters: Fire, Tsunami, Flood, Earthquake, High Winds, Airplane Impact, Human-Caused Disasters: Theft, Vandalism, Virus, Unauthorized Access, Tampering, Code/Data Error Measures that must be taking to mitigate technical disasters include the following:
UPS for all critical devices.
Consider the use of localized (directed) cooling and maintain back-up equipment cooling measures. The importance of backup and restoration are paramount; there will be off site as well as on site. All branch offices should back up their information to corporate headquarters after first doing a local backup, the corporate office data will in turn be backed up at other branch offices. McBride is a mortgage company that deals with customers' financial information. Customers' financial information and data is protected by the SOX act. Therefore, the following additional risk-mitigation and prevention measures should also be pursued prior to further protect the databases that contain the customer's information:
Invoke "preferred" equipment replacement...
References: Dean, T. (2002). "Network+ Guide to Networks, 2nd Ed" Thompson Course Technology
Dubie, D. (2006). "Managing risk: new reality for IT security executives" Network World.
Mackie, A. (2000). "Information Protection Centers – An Organizational Approach to Security." SecurityFocus.com [www.securityfocus.com/infocus/1451]
Oldfield, G. S., and Santomero, A. M. (n.d) The Place of Risk Management in Financial Institutions http://www.gloriamundi.org/picsresources/goas.pdf
Rodney G. (2005) "Hacker Mitnick preaches social engineering awareness," Computerworld Today (Australia) July 22.
Sharick, P. (2002). Techniques for Establishing Highly Secure Systems, Windows IT Security, June 2002 Edition.
Stoneburner, G., Goguen, A., and Feringa, A. (2002). "Risk Management Guide for Information Technology Systems." NIST.
Van der Walt, Charl. (2002). "Assessing Internet Security Risk, Part 1: What is Risk Assessment?" SecurityFocus.com [www.securityfocus.com/infocus/1263] c
Please join StudyMode to read the full document