Synopsis: In this paper we attempt to explain the interaction between Information Systems (Computers) and Risk Management for small to medium-sized businesses. We explore the "balancing act" of providing maximum protection against risk using the minimum of resources.
Information Systems
We use the term Information Systems to include the computers, network components and software resources employed by a business as well as the business data managed and stored by the computers and various peripherals. In many businesses, the total loss of this data can mean the loss of the business.
Risk and Risk Management
The noun risk is defined by Webster as: the chance of injury, damage, or loss. As we all know, risk is a part of life. It may be a result of our own actions, the actions of others or natural occurrences. Every decision made in our businesses as well as our personal lives affects our exposure to risk.
Risk Management has become the buzzword of regulatory agencies, insurance companies, auditors, and others. However, what they are really trying to define is our exposure to risk since many (probably most) risks are beyond our control. Using Risk Management requires that we balance the extent of exposure against the resources (or sacrifice) required to minimize or limit that exposure. Risk Management also does not occur in a vacuum; the decisions we make almost always affect another business or individual.
For example: we certainly would minimize the likelihood of an automobile accident if we kept our car locked in the garage, but it would require us to sacrifice the use of the car (which is why we purchased it in the first place). Of course, our insurance company would love it because it would also minimize their risk exposure.
Resource Risks
Loss of Hardware
The loss of the physical hardware (computers, switches, etc) used for Systems Information has become the minor consideration in loss of resources. In the 1960's hardware cost hundreds of thousands of dollars and took months to replace (in fact, most computers were built to order). Due to advances in technology, replacement hardware for most small businesses costs only a few thousand dollars and in most cases can be delivered "next day air".
Security Breaches
The news media, security consultants and security software companies would have us believe that an "unnamed army of evil hackers" are constantly trying to gain access to business computers and steal proprietary data. The truth is that most Security Breaches (incidents that compromise business data) are perpetrated by employees, ex-employees or other individuals familiar with the business.
A security breach may be deliberate: to copy business data such as customer address lists; to alter or destroy part or all of the company data; to deny service by the introduction of a virus that requires system "cleanup" or to use "spam" to overload resources such as a web server; or to browse through unauthorized company data. It may also be accidental: the introduction of a "worm" or "virus" from an external source; or the careless corruption or deletion of data during the normal course of business.
System Downtime
Downtime is the inability to access company business data. System downtime can be caused by "computer problems" or loss of electrical power. Depending on the type of business and the amount of downtime, it may be an inconvenience or it may be a serious risk.
Loss of electrical power usually affects other portions of the business more than it does properly protected information resources. The plans for maintaining power to the business should also include provisions for maintaining power for information systems.
Loss of Business Data
Various terms such as "intellectual properties", "proprietary data" and "financial data" are used to refer to business data. Whatever you choose to call it, we refer to company data as the information necessary to recreate the transactions that will allow the business to function in case of loss.
The loss of business data is the most critical risk to most companies. It does not matter if business data is maintained by the most modern information systems or entered manually on paper; if pertinent information is lost, the company can face serious problems, even bankruptcy.
Minimizing Risk Exposure
Hardware
As previously stated, system hardware has become a minor factor (monetarily) of resource risk. However there are precautions which can make the replacement easier.
Be sure that company insurance includes system resources such as computers and networking hardware along with business machinery, copiers, FAX machines, etc. Also, be sure that insurance coverage is updated when equipment is added or upgraded.
Keep a complete and up-to-date list of equipment specifications at a remote site. If all your purchases are made through a value-added reseller, the reseller will have an up-to-date list of your resources and can initiate the purchase of replacement hardware if it should be necessary.
Security Breaches
Fortunately, most security breaches can be prevented by the use of a little "common sense" on the part of management and employees. Employees should only have access to resources and data they need to perform their duties. Employees should always "log off" of workstations when they leave their station for breaks or for lunch and particularly when they leave at the end of the day. Visitors and children of employees should not be allowed to "play with" business workstations (these are not toys).
Remote workstations should always be "logged off" when not in use. Servers and other network resources located in separate rooms or away from employee stations should be locked. Keys should only be provided to individuals who have a legitimate need for access.
Remote access communications (such as "tele-commuting") should only be allowed when no other viable alternative exists. The information system should create access logs for all remote access communications and these logs should routinely be audited by the System Administrator.
Employees should never be allowed to introduce "unsecured" documents to the information system by Internet access, floppy disks, CD's or other means. The use of "virus protection" software is recommended to screen such documents prior to access by the information system.
When an employee leaves the service of the company (voluntarily or involuntarily), all future access to business data should be denied. Depending on the level of access by the employee, keys should be retrieved or the locks should be changed. All system login and passwords for the ex-employee should be removed and other passwords to which the ex-employee had access should be changed. Ex-employees should never be allowed to retain remote access authorization.
System Downtime
If the information system is frequently unavailable because of hardware failures or if operating system errors frequently require that the system be "restarted", the age and/or suitability of the system should be questioned and a full review of company requirements should be made.
All electronic resources should be connected to the electrical grid through properly sized UPS (Uninterruptible Power Source) units. These units perform two basic functions: provide proper output voltages to resources by "smoothing" high or low line voltages, and provide temporary power from internal batteries during a power failure. The UPS unit should be sized to allow the user to complete the current work and bring down the resource in an orderly manner.
If electrical power is critical to the business then it is also critical to your information systems. If constant power is required, generators should be provided with proper wiring to effect automatic disconnection from the power grid and ignition and connection of the generator. However, it does not make sense to provide generator power for information resources of the business if stock and inventory areas are "in the dark" or if there are no other locations that require access to your data.
Business Data
Although "loss of business" insurance is available for businesses, it is expensive and the definitions are often vague and subject to misinterpretation.
The viable solution to minimize loss of business data is BACKUP. Every business transaction should be reproducible, whether from copies of documents or from magnetic or electronic backup procedures. It is easy to understand why backup is necessary for information systems. What is sometimes overlooked is the importance of auxiliary documents such as sales brochures and equipment specifications. If a paper schematic is necessary to help you assist your customer, you should provide for backup of that schematic.
The purpose of backup for information systems is to provide a method of recreating business transactions; it is not a "means unto itself." The amount of resources and time to create backup should be balanced against the time necessary to recover in case of loss and the amount of the loss. For most businesses, the loss of a single twenty-dollar accounts receivable invoice would be an inconvenience; the loss of all inventory, accounts receivable and sales records would be a catastrophe. The most important factor in backup is that it be done conscientiously.
For most small to medium-businesses that do not operate twenty-four hours a day, we recommend a two-step backup procedure that minimizes employee intervention but provides a high-level of business data security.
A backup of ALL information system data (full backup) is created automatically by the computer system on removable media during the hours the business is not open to the public. Depending on the volume of data, this backup can be created on a tape drive or a CD-RW drive. At the close of business each day, a backup to tape or CD-RW is made of data modified since the last full backup. (For more critical businesses, a modified backup can be made more frequently during the day or the system can generate transaction logs on removable media.)
Both the full backup media and the modified backup media is carried to a secure offsite location (such as a bank safe-deposit box) by a designated employee when they leave for the day (or during the day in case of evacuation or other emergency). A backup log should be maintained of all backup media locations. It is important that the backup be entrusted to an employee who understands the importance of the backup media and will provide proper security and handling of the media while it is in their possession.
At least one prior day media should be left in the secure offsite location. For example: a business that is open six days a week, would leave Monday, Wednesday or Friday media offsite on Tuesday, Thursday or Saturday. Tuesday, Thursday or Saturday media would be left offsite on Monday, Wednesday or Friday. A sufficient quantity of error-free media should be maintained, at least one set for each day of the week the business operates. Media which frequently encounters "recording errors" should be replaced (the cost of media is "cheap insurance").
Written by: Larry Nobles
Copyright 2009 by Nobles Corporation. All rights reserved.
Permission is granted to reproduce or reprint this article if ownership and full copyright information is retained.