INFORMATION ASSETS RISK ASSESSMENT
OVERVIEW
INFORMATION ASSETS RISK ASSESSMENT
OVERVIEW
PREPARED BY
7 TEDWAY AVENUE KUTZTOWN, PENNSYLVANIA
(610) 756 -4440 PREPARED BY
7 TEDWAY AVENUE KUTZTOWN, PENNSYLVANIA
(610) 756 -4440
• AGE OF INFORMATION
• FOCUS ON PREVENTION
• INTRODUCTION TO INFORMATION ASSETS RISK ASSESSMENT
• POWER RATING THE STORAGE ENVIRONMENT
• RISK ASSESSMENT SURVEY OF RECORDS AND MEDIA FACILITIES
• AGE OF INFORMATION
• FOCUS ON PREVENTION
• INTRODUCTION TO INFORMATION ASSETS RISK ASSESSMENT
• POWER RATING THE STORAGE ENVIRONMENT
• RISK ASSESSMENT SURVEY OF RECORDS AND MEDIA FACILITIES
A Systematic Program for Improving
the Disaster Prevention Capability of the Information Management and Vital Records Storage Facility
A Systematic Program for Improving
the Disaster Prevention Capability of the Information Management and Vital Records Storage Facility
Agricultural Age
Industrial Revolution
Age of Information....
The impetus for the INFORMATION ASSETS RISK ASSESSMENT OVERVIEW is that the business world is undergoing fundamental changes in technology and many professionals are unprepared. The speed with which major changes will occur in the coming
decade will astound many. Archival Data will be more sensitive and fragile than it has ever been before. Anyone who has ever lost a major report or business record merely by hitting a wrong key or kicking out a plug while changing positions, understands how easily information can be lost.
Current desktop computers are 10 to 20 times faster than the best PC on the market in 1993.
The amount of information processed and requiring storage and protection will become monumental. Imaging and jukebox storage for networks is now the standard. Corporations are being totally reengineered to compete in a global economy. Due to this, middle manage- ment is disappearing and sales support no longer exists. Today, the salesperson is equipped with a laptop and completes necessary reports on the plane ride home or during the
evening news. Information is flying everywhere via e-mail, teleconferences and faxes and it is more sensitive and valuable than ever before. Banking is being done from the home or office. All information is now on-line. How we protect this information is a critical issue.
In the last ten years, we have transformed from an environment where 85% of all computing was done in a computer room located within a secure data center to one where 85% of all computing is being done on the desk top. From 1960 to the present, we have 81 million PCs in service around the world. Within the next decade, this usage will skyrocket to 240 million PCs in use. A vast amount of vital information is now under the control of employees who have no training in the area of disaster prevention or records preservation. How will man- agement react to this risk?
The INTERNET and Information Superhighway are now part of our every day lives.
Information is fluid, and information managers of one type or another are appearing on the scene to try to bring control and security to the process. The appraisal survey included in this package is designed to evaluate your current position with regard to protecting vital information assets. This appraisal can be utilized for your in-house records center or to eval- uate your off-site record storage vendor. The benefit of this analysis will be to highlight areas of concern and allow you to systematically correct deficiencies within your program.
WHY FOCUS ON PREVENTION?
DISASTER PREVENTION VS. DISASTER RECOVERY
WHILE MOST DISASTER RECOVERY PLANS FOCUS ON RECOVERY OF THE DATA PRO- CESSING OPERATION AND TELECOMMUNICATIONS, THE DISASTER PREVENTION PLAN MUST FOCUS ON THE RECORDS MANAGEMENT PLAN AND THE PHYSICAL PLANT FACILITIES.
While insurance will cover the replacement of computers, phone equipment, faxes and other equipment, the loss of the physical plant and the vital records is truly a disaster.
Businesses which lose their vital records in a fire or other disaster have only a 10% chance of surviving the disaster. Therefore, it is critical that these vital records be protected in a way that insures their survival in a time of crisis. Loss of the facility is also a very costly occur- rence, but no amount of pre-planning can guarantee that the facility will not be rendered unusable for some period of time. Hurricanes, floods, earthquakes, bombings and fire can overcome most preventive measures.
The cost to move to a new facility is extraordinary when it must be done in response to a cri- sis. Providing new phones, computer equipment, and furnishings on the spur of the
moment for a newly acquired site is so expensive that only those who are properly insured can survive this disrup- tion in function coupled with the cost of relocation. If Risk Management has not done its job and put in place the specialty insurance to cover these business inter- ruption costs, they will affect the strength of the organi- zation. It is important to note, however, that roughly 50% of those who suffer a loss of facility are able to sur- vive the disaster, while the loss of vital records destroys 90% of these businesses.
Therefore, the purpose of this assessment is to elimi- nate the risk to the vital records, which represents the greatest danger to the organization’s continuing opera- tion. Recent disasters have shown that even with off-site storage, 15% of the vital records inventory is at risk.
Likely causes for this are the following:
1) Executive management’s tendency to keep certain
proprietary correspondence within the executive area, thus insuring confidentiality but potentially exposing the documents to destruction.
2) Rotating media in vans which do not provide continuous environmental condi- tioning. As media is exposed to cycling temperatures and humidity inside the vehicles, the gels in the media which bond the layers together break down, and the magnetic charge is weakened and eventually fails. The swing in temperature from 68º F to 150º F, and relative humidity changes from 30% to 90%, on a hot summer day inside the vehicle causes backup records to become useless when called upon in a disaster. This change in humidity is even more disastrous for microfilm and fiche. Redox blemishes occur, and the media bonds to itself as the gels and chemicals are exposed to moisture. This silent destruction occurs with- out anyone becoming aware of it until the entire media archive is called upon during the course of a disaster.
Roughly 50%
of those who suffer a loss of facility are
able to survive the disaster, while the loss of vital records
destroys 90% of
these businesses.
3) Work in progress and current work not yet sent off-site. While this work is not large in percentage, it is by value among the most important record as it validates the integrity of the organization’s current position with regard to bank balances, accounts receivable and accounts payable, current client transactions and inventory status.
4) Inadequate storage facilities which allow the “slow burn” or destruction of vital records over time. Improper environmental conditions can allow records to breakdown, and discovery may take years before management is aware of the cost to the organization.
5) Rapidly changing technology is causing some records to remain in storage with no available means of reading the information. During a disaster, rebuilding the archive may require some of these documents to be read. Finding the hardware for an obsolete system can pose a tremendous problem at a time when time is critical. This may require archiving hardware off-site along with the records to insure access.
Downsizing has also created a few disasters. Disgruntled employees have been known to sabotage records, and following proper procedures and vaulting records is critical to avoid risk. In some cases, the loss of a key person during a reengineering may eliminate the only knowledge base about a procedure or formula. Something as simple as not knowing the combination to safes and files can lead to downtime and loss of image while the problem is solved. It is essential in avoiding a true disaster is to prevent disasters by preplanning. The disaster prevention plan should call for performance standards with inspections, mock drills, operational procedures and total management commitment to insure their enforce- ment. This entails not just describing and documenting operational procedure now, which is most managers’ idea of how ISO 9000 works, but documenting how these procedures should meet performance standards. These performance standards are designed to insure survival of the vital records and information assets of the organization. The final test of these standards are review by industry experts and mock drills which create conditions dramatizing those risks your plan is designed to avert.
After completion of drills and professional review, the plan should be rewritten to eliminate weaknesses discovered during the testing process. This process should be reevaluated any time a change takes place in the organization, whether it be hardware or procedural, which might affect future performance.
After a new plan is put in place, a time table should be set in place for review of the plan and its actual effects. Review, critique, implement changes and then set a time table for the next review. Management should treat this plan as a living, breathing operation which is con- stantly evolving, because each change in hardware and technology can impact your disaster preparedness.
INTRODUCTION TO INFORMATION ASSETS RISK ASSESSMENT
The following overview is presented in two phases. The first phase is to determine the over- all security and safety of the Information Assets. This must be done at two levels, the first being an evaluation of the on-site storage area or facility. Step one is to determine how records are being stored (paper documents, microfilm, optical disk, floppy disks or direct access storage devices) and then determine the value of each of the different types of records to the organization. Secondly, value is determined by means of appraisal of “cost of replacement” or “disaster recovery costs” to the organization. Once the value of the informa- tion is ascertained, the appropriate level of security can be mandated.
After a corporation investigates their own facilities and determines their strengths and weaknesses, they should then evaluate the capabilities of their off-site provider. It is the combined strength of the two record keeping operations which must meet management’s acceptable level of performance. These performance standards can then be utilized within the audit plan or even as the standards for the ISO 9000 document.
The setting of the Power Rating should be done by the Risk Management or Audit Department and then be approved by the Legal Department. In this manner, if a loss occurs due to a disaster or internal handling policies, no claim of negligence on the part of management can be made by those affected by the loss. Management has asked for and received opinions from those it feels are most capable of evaluating procedures, risk exposure and legal compliance.
It is important for business entities and service providers to develop a set of performance standards which are acceptable for their particular industry. Financial institutions are mandated to have their mortgage documents within a vault with the minimum level of fire protection being two hours, regardless of which type of format is used for storage. Negotiable collateral within the trust document files must be in a secure facility. Environmental conditions are determined by the desired retention or storage period of the information or artifact. If the proper storage conditions cannot be provided, then the corporation must make a commitment to reimage the documents before they reach a degree of deterioration which would affect the quality of the information asset as a permanent record or as
evidence in a civil or criminal proceeding.
In addition to the Power Rating for the vital records storage chamber, the overall risk expo- sure for the record center must also be determined. Enclosed is a Risk Assessment Survey which rates the record center campus and facility in general. This evaluation is broken down into the following segments:
1) Site Evaluation 2) Facility Evaluation 3) Vault Evaluation 4) General Security 5) Life Safety
6) Environmental Conditions
Each segment is completed by means of a physical inspection and completion of the survey in a simple yes/no questionnaire. After completion, the scores are faxed to Firelock to be tallied and graphed, depicting a Risk Analysis Summary. This graph is then faxed back to you for review. Management can set their own goals by requesting input from risk manage- ment and the audit group or look to industry benchmarks. These are added to the Risk Analysis Summary graph and a clear picture of the overall strengths and weaknesses
appears. (These simple graphs are an example of how the plaintiffs attorney would illustrate to a jury the corporation’s failure to protect their assets, thereby creating damages for the clients, shareholders and other parties to the lawsuit.)
The Risk Assessment Survey and Power Rating provide a snap shot of your over all risk exposure. Areas of extreme weakness should be acted upon immediately. A team of interest- ed participants which should include the records manager, information systems manager, risk manager and one executive level manager to coordinate the team. The leader will later present findings to executive management, make recommendations and project a proforma budget to remedy deficiencies. The overall goal not being to merely put plugs in the dike but to develop a permanent solution to the corporation’s disaster preparedness program. This is the only solution for protecting the board of directors, officers, shareholders and clients of the organization.
POWER RATING THE STORAGE ENVIRONMENT POWER RATING
THE STORAGE
ENVIRONMENT
RISK ASSESSMENT SURVEY OF VITAL RECORDS
AND MEDIA FACILITIES RISK ASSESSMENT SURVEY
OF VITAL RECORDS
AND MEDIA FACILITIES
HOW TO USE THE RISK ASSESSMENT SURVEY
This survey is intended to be completed during an actual on-site inspection
Experience tells us that when a form like this is filled out in the office, memory can be deceiving. In order for this form to accurately define risk, the form must be filled out during an on-site review of the area in question. We also recommend that no advance notice be provided to the areas being examined. A simple walk-through of each area and an honest evaluation by the reviewer will provide usable results. If the results are below your expectations, you can then alert staff to your intended review date and request that special care be taken.
FIRELOCK recommends that you invite a security professional from your security equipment company to accompany you on the walk-through. This representative can easily compare your risk exposure with that of others in the area. At the very least, you do not want to be the weakest target in your market area as you are then inviting an incident. In the event of some disaster, you could be deemed negligent.
After completion of the physical inspection and answering the simple yes/no survey, determine how many of the questions are relevant to your operation and needs. Upon review, if you select 120 of the 130 questions as relevant to your operation, simply tally your score based on those totals. A score below 80%
represents a level of unacceptable risk to the business. Steps should be taken through housekeeping, opera- tional procedures and physical security to remedy the deficiencies. Scoring the appraisal is as simple as counting the number of “Yes” answers compared to the total questions selected for the review. In the case where 120 questions are chosen as pertinent to your company, a score of 96 would be a passing score.
A periodic reinspection will also prevent many risk factors from growing out of control. It also lets person- nel within and outside the organization know the level of performance you expect and will ultimately require.
EVALUATING THE RISK ASSESSMENT SURVEY
Upon completion of the survey, provide a listing of the scores for each section to FIRELOCK by faxing the scores to (610) 756-4134 on the form provided. Please do not list the company name. Provide only the return Fax phone number and a contact name. Firelock will compile the data provided and return to you a graph (see example below) which shows your relative position to the control standard for your peer group.
No additional follow up will be made as this survey is merely for comparison purposes with other industry peers and to provide an insight to areas requiring some future planning with regard to mitigating risk.
The primary purpose of this survey is to allow records managers and information managers to present industry data to management for the purposes of meeting performance standards which may exist implicitly
General Security _____ _____
Life Safety _____ _____
Environmental _____ _____
Site Evaluation _____ _____
Facility Evaluation _____ _____
Vault Evaluation _____ _____
Combined Score _____
The following scores are for our off-site storage vendor and should be compared to that peer group.
The following scores are for our proprietary records storage facility and should be compared to the peer group circled below.
Peer Groups:
Banking/Financial High Technology Medical
Investment Firms Municipal/Government Manufacturing
Legal Firm Consulting Communications
Return Comparison Graph to (Name)______________________________________
at the following Fax # ( ) _____________________
Fax Scores to:
Firelock Data Protection System 610-756-4134
Total "Relevant"
Questions Total "YES"
Answers Total "Relevant"
Questions Total "YES"
Answers
General Security _____ _____
Life Safety _____ _____
Environmental _____ _____
Site Evaluation _____ _____
Facility Evaluation _____ _____
Vault Evaluation _____ _____
Combined Score _____
Total "Relevant"
Questions Total "YES"
Answers Total "Relevant"
Questions Total "YES"
Answers
To obtain an "Industry Peer Group Comparison", complete the following and Fax results to Firelock at (610)756-4134
7 Tedway Ave., Kutztown, PA 19530; (610)756-4440
