Risk Assessment

With the onset of the internet and the results of September 11, 2001 the threat of compromised information is on the rise. The internet has proven to companies that information can be transferred, stolen, or compromised not only from afar, but also virtually untraceable. September 11, 2001 has show the United States of America that no one, no country is untouchable to those that want to carry out the destruction or disruption of information for the sake of political gain.

Because of this new world attitude companies need to incorporate more efficient, cost effective, and reliable counter measures against those that wish to corrupt the modern corporate assets. Because the personal computers is so readily available, and the fact that computers have now gone mobile with the onset of cell phones, those individuals that want to infiltrate the modern corporate society can easily do so. “Qualys, the firm that scans for vulnerabilities on millions of systems in hundreds of large organizations around the world, has an excellent perspective on where new vulnerabilities are being discovered.

We have seen a huge jump in the vulnerabilities in Microsoft Office products,” says Amol Sawarte, Manager of Vulnerability Labs at Qualys” (2007). For a company that deals with information, especially computer information, information and knowledge have now become the most valuable asset placing staff at second. “One of the primary premises of knowledge management is that an individual’s knowledge can be captured and converted into group or organization-available knowledge. This gives an organization a sustainable advantage in what their employees know and what they do with what they know” (Vorhes, 1991).

Individuals can and will always be replace, however, the knowledge they take with them, or the software they developed while at a particular can only be protected as long as their integrity is intact and reliable. It is this author’s opinion that every person has their price, some set their price higher than others, but everyone has a price, and for the right price knowledge, skills, and development can be bought as easily as it can be corrupted. Because of this no individual should be trusted regardless of what confidentiality form is signed.

Knowledge and software needs to be protected from both outside sources but from inside ones as well. Taking a page from the Department of Justice the first step that needs to be accomplished in order to decide where the security risks are, is to conduct an audit to find where the greatest risks are and where the potential risks may come from. “The audit, by Justice Department Inspector General Glenn A. Fine, also noted that the department “lacks effective methodologies A… for maintaining an inventory of devices connected to the department’s various (information technology) networks” (Waterman, 2008).

This audit needs to evaluate the current security measures both for physical and information, current confidential agreements, knowledge and security levels of employees, and loop holes, or back doors into the intranet of the company. The following is a guideline for type of audit that needs to be conducted and what parts need to be evaluated. “Implement Countermeasures to streamline your risk assessment process: Collect data more efficiently with automated assessment tools

Analyze data more effectively using a repeatable process that prioritizes your risks, threats, and recommendations Generate management-level reports and graphs that address vulnerability, threats, risk, and compliance Justify funding by showing return on investment Manage your organization’s security/safety data in a central database Respond accurately and quickly to new issues or management inquiries” (2007). Once the audit is complete the following measures will need to be taken in order to update the outdated and overlooked security measures that are not efficient.

The key component of a strong Risk Mitigation program is knowing where your threats reside – especially those in your software systems which run your business and store confidential data” (2009). One of the areas that are hard to control is the knowledge that each employee either has or obtains while employed with this company. Individuals will bring their own knowledge with them, but they will also earn knowledge while employed here as well. The way the company goes about controlling that information is to break up the projects and knowledge of the most important aspects of said projects among those employees that need to know.

If a certain employee only has part of the formula and he/she decides to leave for another employer, it would be difficult for that employee to complete the project exactly with the limited knowledge they take with them if they decide to break the confidentiality agreement. Though a confidentiality agreement is legally binding, it does not stop an individual from divulging information to a new employer, and though the threat of lawsuit is always there, it can become costly for the company to have to go through a trial in order to issue suit against and individual that has violated the confidentiality agreement.

In order to avoid that cost all together the company just needs to break up the information for a project only allowing one or two well trusted individuals to have the knowledge on how to put the project together in order to get the desired result. Even though one or two individuals have total knowledge, these are to be individuals that are well trusted and have tenure with the company that their leaving or security risk is low or non-existent. This analysis needs to be conducted on an annual basis in order to maintain the integrity of the system and efficiency of the program.

The main purpose of conducting the analysis annually is so that if there are any flaws in the system, or any items that were missed they can be corrected, as well as to catch any potential problems that may arise as a result of this analysis. The emphasis on conducting this analysis annually cannot be stressed enough; the year that this analysis is not conducted is the year in which the potential for a security violation may occur. This analysis is another deterrent against compromised information by the mere fact that the employees know it happens once a year and may be less inclined to violate confidentiality agreements.