In mission critical network environment for medium to enterprise businesses developing disaster recovery and business continuity planning is very essential. It should cover all of the critical assets of the businesses regarding the information technology including logical and physical infrastructure. Physical infrastructure includes domain servers, file servers and your LAN cabling system. Performing risk assessment for each of the critical components of your network infrastructure helps you develop your DR and business continuity planning. Covering all the assessment tasks would be lots of work but in this article I am providing an example of LAN network risk assessment.
Assessing the risks of all types of critical elements of your business should use such kind of methodical of security risk assessment to identify the security requirements. The following short description describes the systematic consideration in assessing the risk security in an organization.
- The business harm likely to result from a security failure, taking into account the potential consequences of a loss of confidentiality, integrity or availability of the information and other assets;
- The realistic likelihood of such a failure occurring in the light of prevailing threats and vulnerabilities, and the controls currently implemented.
In each of the risks found must be registered in such kind of risk assessment form that will help you guide and determine the appropriate management action and priorities and for implementing controls selected to protect against these risks. The process of assessing risks and selecting controls may need to be performed a number of times to cover different parts of the organization or individual information systems.
The figure 1 shows a networking diagram of a mining site that link two buildings (HR and Mining office) using underground network cable as an example to perform risk assessment. LAN backbone cable that links two main buildings is one of the critical business components in your IT department.
Sample risk assessment - network diagram
For the purpose of this sample risk assessment using the above network diagram, the security risks that will likely impact to the business continuity need to be identified. All of the risks must be registered in the following risk assessment form.
Sample Risk Assessment - Table
click for larger image Or Click the disaster recovery plan template in pdf file here.
The risks
Identify all the possible risks that will likely impact to the business and in this sample risk assessment using the above network diagram the risks can be identified as follows:
Risk #1 the uplink cable
- Business function: Single uplink backbone cable connecting both Mine office and HR buildings.
- The threat: Backbone Cable Failure
- Consequences: The computers in the Mine building will be disconnected from all the network resources and network application
- Likelihood: Possible.
- Existing controls: Protecting the network cable with a metal pipe and run underground buried around 30 cm depth.
You still need to fill-in the other columns: Consequence rating; Likelihood rating; Level of Risk and Risk Priority. However, the following legends should be defined that should fit to your business environment:
| Consequence
|
Likelihood | Level of Risk | Risk Priority | |
| High: $2M impact on the organization or serious strategy impact | 1 Highly possible | High | Large degree of impact | High Risk |
| Medium: $500K – $2M impact on the organization or significant operating impact | 2 Possible | Medium | Medium degree of impact | Medium risk |
| Low: $500K impact on the organization, tactical impact on the operations | 3 Likely | Low | Minimal impact | Low Risks |
| 4 Not very likely | ||||
| 5 Never | ||||
In this sample risk assessment, the “Possible” entry is in the Likelihood column in (refer to the above Risk Assessment Form) and “Medium Risk” entry is in the Consequence column.
The “adequacy of existing control” column must describe the current control. In this sample risk assessment the control is not good enough in providing protection of the backbone cable against any damage. The cable is insulated within a metal pipe that is run underground in the dept of around 30cm of a road where any types of mining vehicles passing this road. Any damage of this backbone cable will result a significant operating impact to all users in Mine building. This will disrupt the business continuity with the possible impact of disconnecting all the network resources and network applications to the Mine building.
The example of LAN risk assessment methodical above can also be applied to any other critical elements you register in your critical assets register. Other critical elements you need to assess based on the networking diagram above including:
- WAN connection to link this remote site to the HQ office in the town
- All perimeter routers as the first level of security defense
- All active directory domain controller machines
- DHCP servers that provide automatic IP address configuration for all client computers on the network.
- And other file servers
All of the risks found in your network security assessment tasks must be registered including the provided controls. These tasks can help you develop your disaster and business continuity plan as part of your information security management within your organization.
See also:
- Guidelines in developping information security management
- Computer networking diagram – the urgency you need
- Autoloader tape backup solutions for your corporate
- understanding IP address classes
- SonicWall TZ210 Security appliance
A company proposal is produced to reflect the professionalism of one’s organisation and is there to persuade a buyer that your goods or services are useful to them. Together with any other collateral it’s the proposition that you are giving to the client and what will hopefully win more function for the company.
I don’t often comment on blogs, but just wanted to say I completely enjoyed reading. Thanks