A picture is worth a thousand words, and an example might be worth a thousand pictures. In today’s post, we present a sample Threat and Risk Assessment. The original of this TRA was for a real client of ours, but this fictionalized version is for the Acme Widget Corp. of Dangerfield, California.
Even though Acme is made up, this sample TRA might be instructive for any real organization trying to come to grips with its current threat landscape.
Related on MHA Consulting: Weighing the Danger: The Continuing Value of the Threat and Risk Assessment
Time for a New TRA
Has it been a while since your organization did a Threat and Risk Assessment? Have you never done one? Well, you should conduct a TRA, and sooner rather than later. A lot has changed in the world over the past two years. Your organization’s threat environment has probably changed, as well. And the TRA is one of the keystones of a sound BCM program.
In previous blogs, we’ve talked about the importance of conducting a TRA and bulleted out the kind of things you should include.
Today we’re going to give an example of what a TRA looks like, at least the way MHA does it.
An Assessment of the Acme Widget Corp.
This example is based on an assessment we did for a real client. However, it’s been significantly fictionalized for obvious reasons. It’s now a TRA for the Acme Widget Corp. of Dangerfield, California.
Even though neither Acme Widget Corp. nor Dangerfield, California, exists, the example might be helpful to anyone at a real-life organization who is getting ready to perform a TRA (or look for a consultant to do one for them).
The example has been greatly shortened (it leaves out the executive summary, our recommendations, and the appendices), but as a blog post it’s still on the long side. For that reason, we’ll end the commentary and get on with the example.
Threat and Risk Assessment Management Report
Acme Widget Corp., Dangerfield, California
Prepared by: Richard Long, Senior Advisory Consultant
MHA Consulting, Inc.
The Threat and Risk Assessment (TRA) ranked the relevant threats (e.g., natural, human, technological) to Acme Widget Corp.’s Alpha and Beta facilities. It additionally assessed the state of the controls used to mitigate these threats by comparing to industry best practices and standards.
MHA conducted a series of interviews with Operations, Legal, Information Technology, Facilities and Security personnel at both Acme locations to evaluate the current state of each control. MHA also conducted on-site reviews of the facilities to evaluate threat probability and impacts due to factors such as geography, locale, and hardening of the facilities.
MHA utilized the Federal Emergency Management Agency (FEMA), USA.com, United States Geological Survey (USGS), the California Office of Emergency Management MyHazards website, and the Dangerfield County multi-jurisdictional hazard plan to gather nature-based threat, flood plain, and hazard information relevant to the facilities evaluated.
The scope of this TRA focused on the Acme facilities at 123 Main Street, Dangerfield, California, and 555 First Street, Dangerfield, California. These facilities provide corporate information technology processing and order fulfillment/distribution support to the enterprise.
- Acme Widget Corp. has two (2) corporate centers in the city of Dangerfield. Both locations are in highly traveled and populated areas of the city and state.
- Both corporate facilities are well maintained and in good condition. There were no major deficiencies in maintenance or conditioning of either facility.
- Dangerfield has a low probability for seismic activity within the state of California although earthquakes are the largest threat to both facilities. According to the California Emergency Management Agency Hazard Mitigation Portal both the Alpha and Beta facilities have a moderate risk of earthquakes. The last major earthquake reported in the Dangerfield area, above a 3.5, occurred in 1979.
- The two sites are in an area susceptible to wildfires. There have been over 103 wildfires within 50 miles reported in the area from 1950 to 2010.
- A railroad line is located within the immediate area (two miles or less) and presents the potential for a hazardous material spill via a commercial transportation source.
- Both sites have been susceptible to frequent power outages that have affected the Alpha and Beta Facilities. The power grid, which is supported by Dangerfield Gas & Electric (SGE), has not provided stable electric power over the last few years.
- Hazardous materials are used in both facilities but are well contained and managed by Facilities Management.
A Threat Assessment was performed by MHA to identify and rank the risk of natural, technical, and human threats to the sites in the study. The lists of sample threats to be evaluated that may be applicable to the facilities are:
|Severe Thunderstorm Lighting Earthquake Floods Wild Fires Tsunami Volcano Hail Strong Winds||Data Network Failure Data Breach Gas Leak HVAC Failure System/Application Failure Utility Power Failure Virus Attacks Voice Network Failure Human Error causing outage||Adjacent Company Disaster Airplane Crash Bomb Threat Building Fire Burglary Explosion Flooding Internal HAZMAT Spill-Fixed Site HAZMAT Spill-Transportation Human Error Loss of Key Personnel Nuclear Fallout Pandemic Terrorism Unauthorized Physical Access Vandalism Workplace Violence|
MHA performed an on-site evaluation to determine the probability of each threat occurring and its potential business and facility impact. MHA’s review of each facility included:
- Local Area Review – General tour of the immediate area to note hazards such as freeways, railroads, airports, high-profile companies or organizations, etc.
- Flood Plain – Proximity of the site to flood zones as defined by Federal Emergency Management Agency (FEMA) maps.
- Building and Infrastructure – Review of general site hardening controls such as backup power, fire and life safety, physical security, building maintenance, etc.
- Past Event History – Review past history of events that raise or lessen the probability of threats.
MHA used the compiled information from this review to calculate the ranking of each threat.
Steps in Ranking Threats
Five factors were considered in quantifying and ranking each potential threat:
- Probability – What is the likelihood of the threat occurring?
- Business Impact – What is the maximum impact to the business if it occurs?
- Facility Impact – What is the maximum impact to the facility if it occurs?
- People Impact – What is the maximum impact to people if it occurs?
- Mitigating Control Status – What is the capability of the company to prevent or reduce the effects of the threat?
MHA used its in-house tool to identify the most relevant threats (e.g., Natural, Human, Technological) to Acme Widget Corp. In identifying these threats, the tool considers the Probability that the event will occur, the Maximum Impact (Severity) to people, facility and business should it occur and the Level of Preparedness, Business Continuity, and Community Response available to minimize the impacts. The result of this analysis yields a “Risk Factor” score that is used to rank the most relevant threats with the highest impact to the organization. The top threats to the facility by type, probability, and severity are as follows:
|1. Earthquakes||1. Data breach/ransomware||1. Airplane Crash|
|2. Wildfires||2. System / Application Failure||2. Loss of Key Personnel|
|3. Flooding||3. Network Failure (LAN/WAN)||3. Terrorist Attack (Regional)|
This study also measured Acme’s ability to prevent or minimize the negative effects of a threat through mitigation. Mitigation is defined as proactive measures that act to prevent or minimize the negative effects of a disruption. These include physical reinforcements, staffing and response plans that brace, isolate, contain, or respond to effects of natural, human, or technological threats. Mitigation also includes measures that act to prevent, deter or detect an impending threat from manifesting into an incident. The status of Acme’s IT and Business mitigating controls at the facility is as follows:
|#||Mitigating Control||2021 Status|
|1||Fire Life and Safety||Yellow|
|4||Business Continuity Planning||Red|
|5||IT Disaster Recovery Planning||Red|
|6||Data Backup and Off-Site Storage||Yellow|
|7||Change, Problem and Incident Management||Orange|
|9||Data Center Infrastructure||Red|
Each mitigating control was evaluated using the following categories:
- General Status – Status of the control based on comparison to current industry leading practices and standards:
- Green: Indicates the mitigating control is operating to current industry best practices and standards.
- Yellow: Indicates the mitigating control is operating but has minimal deficiencies that must be resolved.
- Orange: Indicates the mitigating control is in place but operating minimally within tolerance and is in need of significant improvement.
- Red: Indicates the mitigating control does not exist and is affecting performance levels in the process.
During the evaluation of each of the mitigating controls, the following key deficiencies were noted based on interviews and comparison to industry best practices and standards:
- Fire and Life Safety
- A Fire and Life Safety program is in place to facilitate the safe evacuation of employees, contractors, and visitors in the event of an emergency.
- Physical Security
- The Alpha and Beta facilities were found to operate with physical security controls that are limited in nature and inconsistent with industry best practices and standards for a company of the size and nature of Acme Widget Corp. This heightens exposure to a number of threats (e.g., workplace violence, unauthorized access, corporate espionage) that could be mitigated with basic physical access control measures.
- Employee access control badges with photos do not exist. This heightens the potential for unauthorized access.
- Photo identification is not required at either building entrance as part of the visitor or guest sign-in process.
- All personnel have 24×7 access to the facility, a significant exposure that should be reduced by limiting after-hours access to those who need it.
- Business Continuity
- There is no formalized BCM policy outlining the continuity planning requirements that will be met by the organization.
- A Crisis Management Team (CMT) and plan is documented and in place for Acme Widget Corp. to deal with events affecting the organization. There was no evidence, however, of any training or mock disaster exercises for the team members.
- There are no business continuity plans for the critical business units of the organization. A disruption to the business will require an ad-hoc recovery that heightens the potential for extended recovery timeframes and significant impacts to customers and stakeholders.
- Vendor Management/Supply Chain Management
- There is no formal vendor or supply chain assessment and management program assessing a categorizing level of criticality to the organization or vendor business or disaster recovery capability. There are limited contractual clauses related to BC/DR.
- Information Security
- A high-level review of Information Security controls revealed there is no intrusion-detection software to quickly identify unauthorized access attempts to production systems and applications, another significant exposure.
- IT Disaster Recovery Planning
- Information Technology does not have an alternate data center that is suitable to recover the critical systems and applications of the organization should a partial or catastrophic loss of the data center occur.
- There are no documented or tested disaster recovery plans for the critical systems and applications (e.g., ERP, WMS) of the organization. A disruption to the data center will require an ad-hoc recovery that heightens the potential for extended recovery timeframes and significant impacts to customers and stakeholders.
- Data Backups and Offsite Storage
- Information Technology backs up production application data nightly using its Cohesity environment. Data is backed up locally to the Alpha data domain device and replicated to the Beta data domain device. The nightly data backup and offsite storage process produces a Recovery Point Objective (RPO) of 24 hours for all production data.
- Application RPOs derived from the recent BIA study must be aligned with the current RPOs in place for the production-computing environment. Gaps between BIA derived RPOs and current RPOs must be identified and a strategy designed to either reduce the RPO and/or maintain the current level of backup capability.
- Interviews revealed Information Technology is regularly requested to stop the data expiration process and retain data indefinitely based on discovery requests from Legal. There is no alignment between these processes that can lead to data either kept too long heightening legal exposure or an inadvertent loss of data due to backups being returned to the pool to be reused. This is a critical exposure that must be addressed by management as soon as possible.
- Change, Problem, Incident Management
- Interviews and review of documents revealed Information Technology change management, problem, and incident management polices, procedures, and processes are highly informal in nature and do not follow accepted industry best practices.
- Network Redundancy
- The Virtual Private Network (VPN)–based network architecture and topology used by Acme is inconsistent with best practices for a global company. Interviews with IT management confirmed this architecture leads to significant latency in application response times and a critical lack of redundancy.
- There are dual network providers (ATT and Time Warner) with diverse entry points. However, the system is not configured for true failover in the event of a network disruption.
- Data Center Infrastructure
- The interior of the data center is well maintained with limited to no clutter or disorganization.
- Overhead cabling is in good condition, labeled, and well managed in each of the server cabinets.
- Server cabinets are in good condition and were closed.
- Each server has 2 NICS, multipath A/B power and 2 power supplies. However, A/B power diversity is not used.
- The Uninterruptable Power Supply (UPS) is at end of life and cannot support the data center if needed during a power outage.
- The backup diesel generator is shared with the other tenants of the Alpha facility. There is no dedicated backup diesel generator to the primary Acme data center at the Alpha facility.
The TRA revealed significant findings that require immediate management attention and resolution. Acme has grown at a heightened pace over the past five years with a focus on developing a global distribution footprint of its advanced widget technology. The organization is highly dependent on its people and technology to meet the needs of its customers and stakeholders. It is critical that management address the critical exposures noted in this report in a timely manner to minimize the potential for threats to occur and significantly impact the business.
We hope this sample threat and risk assessment was helpful for you. For more information on threat and risk assessments and other hot topics in BC and IT/disaster recovery, check out these recent posts from MHA Consulting and BCMMETRICS:
- Checking It Twice: The Corporate Risk Mitigation Checklist
- Weighing the Danger: The Continuing Value of the Threat and Risk Assessment
- Don’t Just Hope: Choosing Strategies to Mitigate Risk
- The Great Inspection: Identifying Likely Future Common BCM Problems
- The Face of Danger: The 5 Most Common Business Continuity Threats