648    Chapter 11 • Operational and Organizational Security: Incident Response

                 Risk identification is the process of ascertaining what threats pose a risk to a
             company so that it can be dealt with accordingly.There are many different types of
             risks that can affect a business, and each organization faces different ones. For
             example, an e-commerce site is at risk of credit card information being acquired by
             a hacker, while a public information site with no sensitive data would not consider
             this to be a potential problem. For this reason, you cannot identify risks by
             adopting a list created by another organization. Each business must identify the
             risks they may be in danger of confronting.
                 A common type of risk is a disaster, which can be naturally occurring or the
             result of accidents and malfunctions. Natural disasters include storms, floods, fires,
             earthquakes, tornadoes, or any other environmental event.They can also include
             situations that may cause damage to an organization, such as when a fire breaks out
             due to faulty wiring, a pipe bursts, or a power outage occurs. In addition to these
             risks, an organization is commonly at risk for equipment failures, such as air condi-
             tioning breaking down in the server room, a critical system failing, or any number
             of other problems.As will be seen in Chapter 12, disasters can create massive
             damage to a company, so countermeasures must be established to deal with them.
                 Risks from external sources do not just come in the form of natural occur-
             rences.As discussed throughout this book, there are a number of different risks that
             result from malicious persons and the programs they use and disseminate.Trojan
             horse attacks, viruses, hackers, and various other attacks can devastate an organiza-
             tion as effectively as any natural disaster.An attack on systems can result in disrup-
             tion of services or the modification, damage, or destruction of data.
                 Internal risks are often overlooked.These are risks in which consequences result
             from the actions of persons employed by an organization. Corporate theft costs busi-
             nesses considerable amounts of money every year.This not only relates to the theft
             of computers and other office equipment, but to small thefts that add up over time.
                 Software and data are also targets of corporate theft. Employees may steal instal-
             lation CDs or make copies of software to install at home.A single program can cost
             hundreds or even thousands of dollars, while copied CDs that are illegally installed
             can result in piracy charges and legal liability. If an employee takes sensitive data
             from a company and sells it to a competitor or uses it for other purposes, the com-
             pany could lose millions of dollars or face liability suits or even criminal charges if
             the stolen data breaches client confidentiality. In cases where data involves corpo-
             rate financial information, embezzlement could also result. By failing to address the
             risk of such theft, a company can be at risk of huge losses.
                 When incidents occur, the impact of an event could pose additional risks. If a
             company loses confidence in a business, sales could drop significantly. For example,



          www.syngress.com