Every organization is faced with some risk or potential threat that could cause an interruption to the organization’s operations. These risks and threats can come from within or outside of the organization. To prepare for the worst that could happen, organizations must focus their attention on how to assess different types of risks to protect the organization from the possible negative effects to the daily operations. Performing a risk assessment is one of the most important steps in the risk management process (eHow, 2011).
A Risk Assessment is periodic assessment of the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the organization. A risk assessment should include a consideration of the major factors in risk management: the value of the system or application, threats, vulnerabilities, and the effectiveness of current or proposed safeguards.
Many organizations perform risk assessments to measure the amount of risks that could affect their organization, and identify ways to minimize these risks before a major disaster occurs. Department of Defense Information Systems Agency (DISA) follows guidelines and policies governed by processes by which the organization assesses and manages exposure to risks. In this paper the subject to identify is the risks and potential effects associated with the areas of the organization pertaining to security, auditing, and disaster recovery.
Security is divided in three major areas: Physical security includes access to the building, offices, and the rooms housing the organization’s servers and other critical computing devices. External threats to the organization’s computing network such as hackers and malicious software. Access and permission to authorized users of the system as well as to the information.
Physical security of the DISA field office involves securing assets by means of locked doors and an alarm system for non duty hours. Employees are required to wear identification badges at all times while inside the organization’s facility. Visiting guests will be logged into the visitors log at the reception area by the individual hosting the guest. The guest will be escorted at all times while in the facility. DISA users are not authorized to take assigned laptop home unless they are protected by approved hard drive encryption software. Downloading organizational information onto floppies, CD, thumb/flash/memory drives and other portable media is not authorized without proper authorization and proper security measures are in place to protect that information.
To mitigate the threats and protect the organization’s assets and proprietary information as secure as possible a comprehensive defense-in-depth strategy has been put in place. The defense in depth strategy includes people, network, host, and application. Each of these categories contains three components when combined provide more strength to the organization’s security posture that any one component alone. Using this defense-in-depth strategy and applying tools, techniques, and methodology from all 12 components maximizes the organization’s overall security posture (Hazelwood, 2006).
People are the first line of defense for the organization’s security strategy. The organization has well defined policies and job descriptions that define roles and responsibilities of assigned personnel as related to security. The organization also has a well written security awareness training program and documented annual training by assigned personnel. The organization keeps the skills for the personnel responsible for information assurance infrastructure current with a budget for training. The organization has a well documented policy on incident response.
The network is the second line of defense. The organization has a well configured and approved...
Please join StudyMode to read the full document