Risk Assessment: McBride Financial Services

McBride Financial Services is a virtual organization at University of Phoenix that provides mortgage services for its members. McBride has as its stated goal to be a "preeminent provider of low cost mortgage services using state-of-the-art technology in the five state areas of Idaho, Montana, Wyoming, North Dakota, South Dakota." McBride provides serves for three primary groups of mortgage seekers: professionals purchasing a primary or secondary residence, retirees purchasing a primary or secondary residence, and families and/or individuals purchasing recreational properties.

The goal of the company is to provide mortgage services at a fixed low rate of $1500 to approved applicants. In order to be able to optimally provide these services, it is necessary to calculate the organization risks and develop a plan to mitigate the risks. The risk assessment will identify the approaches to be implemented for elimination of avoidable risks and the minimization of the risks that are unavoidable. The discussions following will limit the risk assessment to IT related issues: security, auditing and disaster recovery.

Risk assessment is determining two quantities of the risk, the magnitude of the potential loss and the probability that the loss will occur. Risk assessment then is a step in the risk management process, http://en.wikipedia.org/wiki/Risk_Assessment. An organization has to have policies in place to identify and manage risks. Oldfield and Santomero (n.d.) developed the following guidelines to successfully implement the risk management policy set up by the business:

* It has to be integral to the firm's business plan.

* It has to define a measure of risks in each business consistently across the firm.

* Initiate procedures for risk managing at the point nearest to the assumption of risk.

* Develop databases and measurement systems in accord with business practices.

* Install comprehensive risk management system to evaluate individual, business, and firm level performance.

Therefore, a Risk Assessment and Management project team must be formed to conduct a thorough analysis of the system and provide recommendations and policies to deal with disaster. At McBride, the design of the system network will affect security, auditing and disaster recovery, therefore a comprehensive analysis of the network design, security and disaster recovery will go a long way to mitigate against possible risks.

Disasters, Backup and Recovery Plan

McBride has to have data based on analysis of risk factors based on their likelihood and progressive nature of occurrence available to develop the backup and recovery plans. This data may be used to develop effective and balanced measures for loss prevention, mitigation, and recovery.

Disasters can be classified into three broad categories:

* Technical Disasters: Equipment Failure, Database Service Failure, Software Failure, Loss of Power, Loss of A/C.

* Natural Disasters: Fire, Tsunami, Flood, Earthquake, High Winds, Airplane Impact, Human-Caused Disasters: Theft, Vandalism, Virus, Unauthorized Access, Tampering, Code/Data Error

Measures that must be taking to mitigate technical disasters include the following:

* UPS for all critical devices.

* Consider the use of localized (directed) cooling and maintain back-up equipment cooling measures.

The importance of backup and restoration are paramount; there will be off site as well as on site. All branch offices should back up their information to corporate headquarters after first doing a local backup, the corporate office data will in turn be backed up at other branch offices.

McBride is a mortgage company that deals with customers' financial information. Customers' financial information and data is protected by the SOX act. Therefore, the following additional risk-mitigation and prevention measures should also be pursued prior to further protect the databases that contain the customer's information:

* Invoke "preferred" equipment replacement agreements, consortium agreements, reciprocal agreements, equipment consignment agreements, etc.

* Consider the use of a limited-capacity warm site with simple backup and line-rerouting capabilities.

* Invoke effective insurance policies.

Risk Assessment: Security

Security can be considered in three major areas:

* Physical security which includes access to the plants, to the rooms housing servers and other computing devices.

* External threats to the computing network

* Access and permission to authorized users of the system

Physical security will involve the company securing its assets by devices such as alarm system for off hour use, and identification cards for employees. A process should be in place to make sure that guests are properly identified before gaining assess to the facility. Users cannot take computer home unless they are protected by encryption software. Downloading proprietary information onto floppies, CD, thumb/flash/memory drives and other portable media should be disallowed unless such transactions are pre-approved and proper security measures are taken.

Any enterprise has to pay special attention to computer security. Computer security is a field that is concerned with the control of risks related to computer use. A primary focus should be on the external threats to the computing environment. In enterprise with branches cross country, it is important to allow information from "trusted" external sources, and disallow intrusion from anonymous or non-trusted sources. In a secure system, the authorized users of that system are still able to do what they should be able to do. Strong authentication techniques can be used to ensure that communication end-points are who they say they are, for example, passwords should have a minimum of 8 complex character and must be changed every 120 or so days. In addition, capability and access control list techniques can be used to ensure privilege separation and mandatory access control.

Mandatory access control can be used to ensure that privileged access is withdrawn when privileges are revoked. Passwords are one of the most commonly used methods of verifying user authority.

...