Treats that this company is vulnerable to are but not limited to tornado, mallard, equipment failure, stolen data, DOS attacks & social engineer. The like likelihood of each is moderate to high. Headquarter is located right in tornado alley. Since this building house all three serves, a direct hit would result in a total loss. Since the users connect to the LANA with Windows Vista which is very outdated the risk of mallard is also high. Along with having all three servers in a central location, there is no mention of any backup locations or even if a DRP is in lace.
Therefore equipment failure (loss of data) is very high. There is a mention of a direct attached storage but it appears that there is no LIP in place. This means everyone has access to the data. Stolen confidential data of a customer is a serious and costly risk. There is no mention of any firewalls in place. If the servers are not protected by firewalls or intrusion detection systems can result in loss of availability. Users and social engineering is the weakest and easily the most vulnerable. Lack of access controls and security awareness can result in errors loss of confidentiality and hackers are real threat in today’s world.
With the sales people accessing the network through a home office and share internet connection with headquarters, this is the bulk of the concern. For each risk listed the following should be implanted: Tornado- the vulnerability here is location. You can either accept the risk by doing nothing because of the location or what I suggest is mitigate the risk by purchasing insurance. Mallard-outdated software. This vulnerability can be avoided by installing anti-virus and keeping it updated. Equipment failure-no backup’s setup.
This is another vulnerability that can be avoided by performing regular backups and keeping them at an offside location. Stolen Data-access controls not implanted. Since the company has a direct attached storage, this should be in a secure location within the facility. AUP here is a must. DoS Attack/ Social Engineering-loss of CIA. The loss of confidentiality, integrity & availability is an asset once lost is difficult to regain. Access controls, training, awareness & policies are some steps a company can do to mitigate this vulnerability.