Page 665 - StudyBook.pdf
P. 665
Operational and Organizational Security: Incident Response • Chapter 11 649
if an e-commerce site was hacked and the culprit stole customer credit card num-
bers, numerous customers would be uncomfortable with that site’s security, and
stop buying products from them online. Publicity from the incident could also
devalue stocks, making the company’s worth drop significantly.As seen in these
examples, cause and effect can result in multiple risks involved in a single incident.
Asset Identification
A list of what assets a company possesses is needed to determine what risks would
apply.Assets are the property and resources belonging to a company that are used
to determine what risks will affect them and what impact those risks will have.
Even a small company may own a considerable number of assets, which should be
inventoried as part of the risk management process.
All networks consist of a certain amount of hardware. Peer-to-peer networks
have workstations, hubs, printers, scanners, and other equipment, while client/server
networks also have servers that provide a number of different services to users.
Without this equipment, the business may be unable to conduct normal operations.
Computers and servers also have a number of different software installations, with
additional software available on installation CDs that are stored separately.This may
be commercial software, which can be purchased off the shelf in stores, or in-house
software that is created by programmers working for the company.While commer-
cial software could be replaced by purchasing additional copies from the vendor, in-
house software may be irreplaceable and may need to be recreated in the event of a
disaster.
Another major asset of a business is its data. If a company lost its customer
database, financial spreadsheets, crucial documents, or any number of other files, the
business could be crippled.To effectively deal with risks, you need to determine
what data is important and establish methods of protecting it.
Although each of these focus on computer-related items, those who work for
the company should not be forgotten. People are as much an asset to a company as
any of the other assets used to run a business. For example, if the network adminis-
trator is the only one with knowledge of the system, the impact of losing this
person would be great.To deal with the risk that the administrator could be
injured, killed, or otherwise lost from the company’s employ, methods of ensuring
their safety and well-being should be determined. It is important to identify vital
members of an organization and provide methods of continuing business activities
if they are unavailable.
www.syngress.com
