HHS 350: Categorizing Vulnerabilities In An Organization
Categorizing Vulnerabilities
Eddie Wilmore
Western International University
HHS 350
September 10 , 2006
Hollie Kopp Toppel
There are quite a few vulnerabilities that can affect organizations productivity. These vulnerabilities can be environmental, utilities & service, criminal behavior, equipment failure, and information security issues. To protect the organization against loss of productivity and data loss we have created an assessment of the potential danger each category of threat presents. We created a worksheet (located on the last page of this document) listing each type of vulnerability and ranked the probability and severity of each of the threats. Using a probability and severity legend that had one …show more content…
as the lowest in probability and severity and five as the highest we calculated the vulnerability level of each potential threat. We will present the probability and severity of each type of danger as well and make recommendations on actions that should be taken to minimize each threat.
Environmental Threat Analysis
We will start by examining the prevalent environmental threats that the organization might face.
The threat of earthquake is definitely present in the area. Schirber (2005) outlines the probability of this threat “Researchers have calculated a 20 to 70 percent probability that southern California will be hit by a large earthquake in the next 30years. The forecast is based on the frequency of past events.” We have assessed this threat and find its level to be a twenty five in terms of probability and severity which is the highest possible score, which makes this a high priority threat. The organization is located in a very hot, dry desert region which makes is susceptible to fire. The risk of fire got a rating of fifteen on our assessment making this a high priority threat. The risk of flood would not usually be considered a major threat in a dry area but we gave this threat a rating of fifteen making it a high priority threat. The risk of earthquakes in the area makes the organization susceptible to flood because earthquakes can break dams or levees along a river. The water from the river or the reservoir would then flood the area; damaging buildings. The threat of tornados received a twelve in our assessment making it a medium priority threat. We based this rating on the fact that the region averages about 20 tornadoes or water spouts per year according to the National Weather Service. The other environmental threats we analyzed were landslides, and hurricanes. Each of …show more content…
theses threats received a one for probability and severity making these a low priority threat to the organization.
Environmental Threat Consequences
The consequences of an earthquake are obvious.
Earthquakes can damage buildings by the shaking itself or by the ground beneath them settling to a different level than it was before the earthquake. This must be the first vulnerability that we will address for this category. A serious earthquake can destroy the building, produce flooding, and cause fire, etc… This will end client services within the building until the damage has been addressed. A fire can cause severe damage to the facility and equipment halting services provided to the clients. Tornados, floods, landslides, and hurricanes have the ability to damage the facility and equipment which would cause an inability for employees to perform their jobs and cause a disruption to the services provided to the
clients.
Strategic Recommendations for Environmental Threats
Environmental threats can be difficult to predict and prevent .Large earthquakes, fire, tornados, floods, landslides, and hurricanes cannot be protected against there can be measures taken to protect the data. All the data must be backed to multiple offsite facilities. This will allow the organization to continue service at an alternate location in case there is critical damage to the facility.
Utilities & Service Analysis
There was one high priority threat in the utilities and service category. The threat to electricity received a twenty making it a high priority threat. The electrical threat was a high priority because of the conditions in the area. The hot, dry conditions will call for a surge in energy usage in the summer months which could lead to high demand and outages. Gas, water, and communications each received a six making them medium priority threats. Transportation received the lowest possible score of one making it a very low priority threat.
Utilities & Service Analysis Threat Consequences
The consequences of loss of electricity are obvious. The business would not be able to run if there was an extended loss of electricity. Employees would not be able to perform very many job functions if there was an outage. The equipment employees use to assess patients would be rendered useless. The computer network would not be operational so no electronic records could be pulled up and no data could be entered. The building lights and air conditioning would not work which creates impossible work conditions. Loss of gas, water, and communications can cause a slowdown in productivity in the workplace. The impact of the loss of gas, water, and communications services would include; the inability to communicate with patients and other providers, inability to heat the facility and the water, the toilets and sinks would be inoperable. These threats do not pose a significant threat but would affect the quality of service provided to the clients. The loss of transportation would affect the ability of some of the patients to get to the facility and the ability to move patients to the hospital if it required.
Strategic Recommendations for Utilities & Service Threats
The loss of power can cripple organizations productivity. Backup generators capable of supplying power to the building for an extended time should be installed at the location. Sprinkler systems and keeping boxes, trash, wood and other combustibles away from buildings along with the security devices will help minimize the threat of arson.
Criminal Behavior Threat Analysis
The area the organization is located in creates a couple of high priority threats in the criminal activity category. The threat of theft received a twenty five making it a high priority threat. Arson received a twenty and is also a high priority threat simply because of the high criminal activity in the area. Riots were rated as a twelve on our worksheet and will be considered a medium priority threat. Terrorism and sabotage both received a one and will be considered low priority threats.
Criminal Behavior Threat Consequences
There are several consequences to the organization when there is criminal activity. Theft of equipment can cause employees to be unable to provide services to the clients. If the computers are stolen the patient information stored locally is lost unless the equipment is recovered. Tools like Pulse oximeters, blood pressure monitors, and EKG machines and other equipment can easily be stolen and are costly to replace. These tools are essential when caring for patients. The time and money that it takes to replace these devices can cause the organization to have serious downtime a lower quality in client service. Arson carries the same consequences as theft. Arson can destroy the building and equipment causing downtime and an inability to service clients.
Strategic Recommendations for Criminal Behavior Threat
To minimize the threat of criminal behavior a full time security guard should be put in place. Security cameras that are monitored by an offsite security company need to be installed on the inside and outside of the building. Valuable equipment should be locked up daily without exception. New employees must have their backgrounds screened to detect previous criminal activity.
Equipment Failure Threat Analysis
The threat of equipment failure category did not produce any high priority threats. The threat of IT equipment failure got a rating of eight making it a medium priority threat. The threat of non- IT equipment failure got a rating of six on our worksheet and is also considered a medium priority threat.
Equipment Failure Threat Consequences
Equipment failure can limit the services provided to the client. If the network goes down because of a bad switch or router there can be a delay getting and entering patient information. If a computer crashes you will be in the same situation as a network failure. There will be a delay in the ability to monitor and enter data on the patient. The information on the local drives can also be lost requiring repeated actions. Non-IT equipment failure can cause the employees to be unable to treat patients immediately or get a full assessment of the patient. Loss of these types of equipment at inopportune times can lead patients with serious conditions not getting the care they need.
Strategic Recommendations for Equipment Failure Threat
To minimize the potential for equipment failure we suggest setting a regular maintenance schedule for IT and Non-IT hardware in the facility. Keep regular logs of the equipment make and model information with software versions so failed equipment can be swapped quickly minimizing down time. Upgrade equipment that are at the end of their life expectancy.
Information Security Threat Analysis
The Information Security Threat had several areas that had high priority ratings. The Loss of records got a rating of twenty five. The threat of cyber crime and information breaches got a rating of fifteen on our worksheet. All three of there areas have a high priority rankings and should be addressed ASAP.
Information Security Threat Consequences
There are many major consequences to information and security issues. If there are cases of cyber crime, loss of records, or information breaches the company and its employees will suffer tremendously. These issues are the most dangerous because they can go unnoticed and have harsh consequences. Patients will lose faith in the organization ability to protect their information. Lost patient information because of poor security can be considered violations of the HIPAA security and HIPAA privacy acts. This can lead to penalties and sanctions against the organization. Lost data will cause the organization to reproduce work that has already been completed. This can cause a heavy and unnecessary financial burden on the organization.
Strategic Recommendations for Information Security Threat
We have a few suggestions to minimize the threat to Information Security. The OS software should have patches applied in a timely fashion to prevent system from being compromised. All systems need to have an antivirus installed and have procedures in place for regular updates to the virus definitions. Data should be backed up to an offsite storage facility with controlled access. The data also needs to be encrypted when the information contains personally identifiable data. All shared systems need to have a technical access control mechanism that limits system and data resources to individual users.
Conclusion
Some events cannot be prevented and will interrupt organizational productivity. The goal is to minimize or prevent the time the organization is disabled. Our analysis shows the factors that will most likely affect the organization. Using the recommendations we have provided will undoubtedly save the organization time and money. Most importantly all of these countermeasures will allow you to provide the services that your clients so desperately require.
Disaster Vulnerability Assessment Worksheet
|VULNERABILITY |PROBABILITY |SEVERITY |Vulnerability Level |
| | | |Probability X Severity |
|Environmental |Earthquake |5 |5 |25 |
| |Fire |3 |5 |15 |
| |Tornado |3 |4 |12 |
| |Flood |5 |4 |15 |
| |Landslide |1 |1 |1 |
| |Hurricane |1 |1 |1 |
|Utilities & Service |Electrical |4 |5 |20 |
| |Gas |3 |2 |6 |
| |Water |3 |2 |6 |
| |Communications |3 |2 |6 |
| |Transportation |1 |1 |1 |
|Criminal Behavior |Terrorism |1 |1 |1 |
| |Sabotage |1 |1 |1 |
| |Theft |5 |5 |25 |
| |Arson |4 |5 |20 |
| |Riots |3 |4 |12 |
| |Trespassing |5 |3 |15 |
|Equipment Failure |IT equipment |2 |4 |8 |
| |Non-IT equipment |2 |3 |6 |
|Information Security |Cyber crime |3 |5 |15 |
| |Loss of records |5 |5 |25 |
| |Info. breaches |3 |5 |15 |
References
Schirber, Michael (2005) Large California Earthquake Possible Within 30 Years, Geologists Warn. Retrieved September 8, 2006, from http://www.livescience.com/forcesofnature/050512_quake_cast.html
De Castro, Richard A. (1996) Survival FAQ - In the Beginning, the Threat Analysis. Retrieved September 6, 2006, from http://www.1stconnect.com/anozira/SiteTops/kits/threat.htm
Eddie Wilmore
Western International University
HHS 350
September 10 , 2006
Hollie Kopp Toppel
There are quite a few vulnerabilities that can affect organizations productivity. These vulnerabilities can be environmental, utilities & service, criminal behavior, equipment failure, and information security issues. To protect the organization against loss of productivity and data loss we have created an assessment of the potential danger each category of threat presents. We created a worksheet (located on the last page of this document) listing each type of vulnerability and ranked the probability and severity of each of the threats. Using a probability and severity legend that had one …show more content…
as the lowest in probability and severity and five as the highest we calculated the vulnerability level of each potential threat. We will present the probability and severity of each type of danger as well and make recommendations on actions that should be taken to minimize each threat.
Environmental Threat Analysis
We will start by examining the prevalent environmental threats that the organization might face.
The threat of earthquake is definitely present in the area. Schirber (2005) outlines the probability of this threat “Researchers have calculated a 20 to 70 percent probability that southern California will be hit by a large earthquake in the next 30years. The forecast is based on the frequency of past events.” We have assessed this threat and find its level to be a twenty five in terms of probability and severity which is the highest possible score, which makes this a high priority threat. The organization is located in a very hot, dry desert region which makes is susceptible to fire. The risk of fire got a rating of fifteen on our assessment making this a high priority threat. The risk of flood would not usually be considered a major threat in a dry area but we gave this threat a rating of fifteen making it a high priority threat. The risk of earthquakes in the area makes the organization susceptible to flood because earthquakes can break dams or levees along a river. The water from the river or the reservoir would then flood the area; damaging buildings. The threat of tornados received a twelve in our assessment making it a medium priority threat. We based this rating on the fact that the region averages about 20 tornadoes or water spouts per year according to the National Weather Service. The other environmental threats we analyzed were landslides, and hurricanes. Each of …show more content…
theses threats received a one for probability and severity making these a low priority threat to the organization.
Environmental Threat Consequences
The consequences of an earthquake are obvious.
Earthquakes can damage buildings by the shaking itself or by the ground beneath them settling to a different level than it was before the earthquake. This must be the first vulnerability that we will address for this category. A serious earthquake can destroy the building, produce flooding, and cause fire, etc… This will end client services within the building until the damage has been addressed. A fire can cause severe damage to the facility and equipment halting services provided to the clients. Tornados, floods, landslides, and hurricanes have the ability to damage the facility and equipment which would cause an inability for employees to perform their jobs and cause a disruption to the services provided to the
clients.
Strategic Recommendations for Environmental Threats
Environmental threats can be difficult to predict and prevent .Large earthquakes, fire, tornados, floods, landslides, and hurricanes cannot be protected against there can be measures taken to protect the data. All the data must be backed to multiple offsite facilities. This will allow the organization to continue service at an alternate location in case there is critical damage to the facility.
Utilities & Service Analysis
There was one high priority threat in the utilities and service category. The threat to electricity received a twenty making it a high priority threat. The electrical threat was a high priority because of the conditions in the area. The hot, dry conditions will call for a surge in energy usage in the summer months which could lead to high demand and outages. Gas, water, and communications each received a six making them medium priority threats. Transportation received the lowest possible score of one making it a very low priority threat.
Utilities & Service Analysis Threat Consequences
The consequences of loss of electricity are obvious. The business would not be able to run if there was an extended loss of electricity. Employees would not be able to perform very many job functions if there was an outage. The equipment employees use to assess patients would be rendered useless. The computer network would not be operational so no electronic records could be pulled up and no data could be entered. The building lights and air conditioning would not work which creates impossible work conditions. Loss of gas, water, and communications can cause a slowdown in productivity in the workplace. The impact of the loss of gas, water, and communications services would include; the inability to communicate with patients and other providers, inability to heat the facility and the water, the toilets and sinks would be inoperable. These threats do not pose a significant threat but would affect the quality of service provided to the clients. The loss of transportation would affect the ability of some of the patients to get to the facility and the ability to move patients to the hospital if it required.
Strategic Recommendations for Utilities & Service Threats
The loss of power can cripple organizations productivity. Backup generators capable of supplying power to the building for an extended time should be installed at the location. Sprinkler systems and keeping boxes, trash, wood and other combustibles away from buildings along with the security devices will help minimize the threat of arson.
Criminal Behavior Threat Analysis
The area the organization is located in creates a couple of high priority threats in the criminal activity category. The threat of theft received a twenty five making it a high priority threat. Arson received a twenty and is also a high priority threat simply because of the high criminal activity in the area. Riots were rated as a twelve on our worksheet and will be considered a medium priority threat. Terrorism and sabotage both received a one and will be considered low priority threats.
Criminal Behavior Threat Consequences
There are several consequences to the organization when there is criminal activity. Theft of equipment can cause employees to be unable to provide services to the clients. If the computers are stolen the patient information stored locally is lost unless the equipment is recovered. Tools like Pulse oximeters, blood pressure monitors, and EKG machines and other equipment can easily be stolen and are costly to replace. These tools are essential when caring for patients. The time and money that it takes to replace these devices can cause the organization to have serious downtime a lower quality in client service. Arson carries the same consequences as theft. Arson can destroy the building and equipment causing downtime and an inability to service clients.
Strategic Recommendations for Criminal Behavior Threat
To minimize the threat of criminal behavior a full time security guard should be put in place. Security cameras that are monitored by an offsite security company need to be installed on the inside and outside of the building. Valuable equipment should be locked up daily without exception. New employees must have their backgrounds screened to detect previous criminal activity.
Equipment Failure Threat Analysis
The threat of equipment failure category did not produce any high priority threats. The threat of IT equipment failure got a rating of eight making it a medium priority threat. The threat of non- IT equipment failure got a rating of six on our worksheet and is also considered a medium priority threat.
Equipment Failure Threat Consequences
Equipment failure can limit the services provided to the client. If the network goes down because of a bad switch or router there can be a delay getting and entering patient information. If a computer crashes you will be in the same situation as a network failure. There will be a delay in the ability to monitor and enter data on the patient. The information on the local drives can also be lost requiring repeated actions. Non-IT equipment failure can cause the employees to be unable to treat patients immediately or get a full assessment of the patient. Loss of these types of equipment at inopportune times can lead patients with serious conditions not getting the care they need.
Strategic Recommendations for Equipment Failure Threat
To minimize the potential for equipment failure we suggest setting a regular maintenance schedule for IT and Non-IT hardware in the facility. Keep regular logs of the equipment make and model information with software versions so failed equipment can be swapped quickly minimizing down time. Upgrade equipment that are at the end of their life expectancy.
Information Security Threat Analysis
The Information Security Threat had several areas that had high priority ratings. The Loss of records got a rating of twenty five. The threat of cyber crime and information breaches got a rating of fifteen on our worksheet. All three of there areas have a high priority rankings and should be addressed ASAP.
Information Security Threat Consequences
There are many major consequences to information and security issues. If there are cases of cyber crime, loss of records, or information breaches the company and its employees will suffer tremendously. These issues are the most dangerous because they can go unnoticed and have harsh consequences. Patients will lose faith in the organization ability to protect their information. Lost patient information because of poor security can be considered violations of the HIPAA security and HIPAA privacy acts. This can lead to penalties and sanctions against the organization. Lost data will cause the organization to reproduce work that has already been completed. This can cause a heavy and unnecessary financial burden on the organization.
Strategic Recommendations for Information Security Threat
We have a few suggestions to minimize the threat to Information Security. The OS software should have patches applied in a timely fashion to prevent system from being compromised. All systems need to have an antivirus installed and have procedures in place for regular updates to the virus definitions. Data should be backed up to an offsite storage facility with controlled access. The data also needs to be encrypted when the information contains personally identifiable data. All shared systems need to have a technical access control mechanism that limits system and data resources to individual users.
Conclusion
Some events cannot be prevented and will interrupt organizational productivity. The goal is to minimize or prevent the time the organization is disabled. Our analysis shows the factors that will most likely affect the organization. Using the recommendations we have provided will undoubtedly save the organization time and money. Most importantly all of these countermeasures will allow you to provide the services that your clients so desperately require.
Disaster Vulnerability Assessment Worksheet
|VULNERABILITY |PROBABILITY |SEVERITY |Vulnerability Level |
| | | |Probability X Severity |
|Environmental |Earthquake |5 |5 |25 |
| |Fire |3 |5 |15 |
| |Tornado |3 |4 |12 |
| |Flood |5 |4 |15 |
| |Landslide |1 |1 |1 |
| |Hurricane |1 |1 |1 |
|Utilities & Service |Electrical |4 |5 |20 |
| |Gas |3 |2 |6 |
| |Water |3 |2 |6 |
| |Communications |3 |2 |6 |
| |Transportation |1 |1 |1 |
|Criminal Behavior |Terrorism |1 |1 |1 |
| |Sabotage |1 |1 |1 |
| |Theft |5 |5 |25 |
| |Arson |4 |5 |20 |
| |Riots |3 |4 |12 |
| |Trespassing |5 |3 |15 |
|Equipment Failure |IT equipment |2 |4 |8 |
| |Non-IT equipment |2 |3 |6 |
|Information Security |Cyber crime |3 |5 |15 |
| |Loss of records |5 |5 |25 |
| |Info. breaches |3 |5 |15 |
References
Schirber, Michael (2005) Large California Earthquake Possible Within 30 Years, Geologists Warn. Retrieved September 8, 2006, from http://www.livescience.com/forcesofnature/050512_quake_cast.html
De Castro, Richard A. (1996) Survival FAQ - In the Beginning, the Threat Analysis. Retrieved September 6, 2006, from http://www.1stconnect.com/anozira/SiteTops/kits/threat.htm