Introduction
With increased digitization of most organizational processes, there is a growing need to protect information and prevent unauthorized access to sensitive information. Many companies have fallen prey to hackers and other people who have malicious intentions. Notably, the US government, JTX and other companies around the world have had their information stolen through security breaches (Whitman, 2010, p. 455).
Many more companies like MasterCard are operating under endless threats on their information security systems (Whitman, 2010). There is therefore a strong need to protect sensitive information from unauthorized access and more importantly, there is a strong need to prevent unauthorized physical access to secure areas.
In light of the above observations, this paper seeks to identify and analyze any potential vulnerabilities of an information security system for a local pharmacy. The security information system for the pharmacy requires a combination of both physical and logical access controls that are meant to protect money and goods (pharmaceutical products) from theft. Tasked with the duty of identifying inherent risks associated with this business, this paper establishes physical and logical controls that mitigate the risks identified.
Potential Physical Vulnerabilities and Threats
Physical vulnerabilities and threats may occur in different ways. Genser (2010) observes that many organizations often overlook physical vulnerabilities and threats as important components of security breaches. Threats caused by acts of nature are the most common forms of physical vulnerabilities and threats. Indeed, like many organizations or businesses in the town, the pharmacy is subject to extreme acts of nature which can potentially lead to the loss and damage of equipment (Deswarte, 2004).
The ranges of disasters that can affect the organization include lightning, earthquakes, or even tornadoes. Often, when such disasters strike, there is a resultant significant financial loss. However, within this loss perception is the threat of losing or damaging vital information. This analogy is true because information is normally stored in physical devices such as computers, compact disks and other forms of digital storage.
These devices are not immune to physical vulnerabilities and damages. The ranges of environmental conditions that may cause their malfunction vary from excessive heat, too much humidity or even damages that result from water contamination. Different acts of nature can cause many of the above environmental conditions (Deswarte, 2004).
Lastly, considering the pharmacy is located in a busy shopping mall, there are several environmental threats (specific to the mall), which pose different physical vulnerabilities. Certain building malfunctions such as power outages or poor maintenance of building infrastructure, such as, water pipes and power lines may increase the pharmacy’s vulnerability to physical threats.
These vulnerabilities may lead to power outages or water leaking from the ceiling, thereby causing damage to equipment. Some of these vulnerabilities may also cause hardware failure (Deswarte, 2004).
Logical Vulnerabilities and Threats That Require Consideration
The most common logical vulnerabilities and threats that pose a danger to the pharmacy are caused by acts of man. These threats can be caused by errors of omission or commission, but they may equally be caused by third parties who may have an ulterior motive on the organization.
For example, a member of staff may fail to include important information in the company records, thereby causing a malfunction in the data system. Similarly, a member of staff may key-in wrong figures in the company’s financial system, thereby misrepresenting the company’s true financial information. For the pharmacy, such vulnerabilities and threats exist.
The ignorance of power-on passwords and the loss or malfunction of tracking devices to recover stolen equipments also contribute to the organization’s logical vulnerabilities (Walsh, 2012). Other vulnerabilities (associated with the threat of introducing malicious codes) are the lack of regular updates to the antivirus software and the easy access to administrator privileges, such that, users can easily access the system and turn off the antivirus software.
Other logical vulnerabilities may also be caused by the failure to set up proper physical controls to prevent the entry of unauthorized personnel in secure business areas. For example, if all employees are allowed to access the company’s main system hub, users may gain entry into the company’s systems and create a security breach.
The failure to secure highly confidential information through passwords may also exaggerate the level of threats that logical vulnerabilities may have on the organization (Walsh, 2012). Similarly, if the passwords are not highly confidential, unauthorized personnel may know such vital codes and use them to gain access into the company’s systems.
From the list of possible threats and vulnerabilities identified above, we can see that people who pose a threat to the organization transcend the conventional perception of thieves and hackers. Employees and visitors (who enjoy organizational trust) can also pose a threat to the organization.
Potential Impact of All Identified Physical Vulnerabilities
The potential impact of all the identified physical vulnerabilities above is enormous. Perhaps, the most visible impact is financial losses that may accrue from damages to the organization’s equipment. These costs may be realized from replacing such equipments or investing in more stringent security measures to reinforce the premises to avoid any physical damage.
Other financial costs may arise from lawsuits or even of the loss of vital information entrusted to the organization. For example, being an agent of the healthcare business, confidentiality is highly important for the pharmacy. However, because of the occurrence of physical threats, such information may be lost, damaged or leaked.
Such an eventuality may prove to be disastrous for the business. Many organizations that often fall prey to severe physical threats experience significant setbacks in operations (financially). Some are even forced to close down business (Walsh, 2012).
Another potential impact of the physical vulnerabilities identified above is poor organizational performance (Dorantes, 2006, p. 13). Any of the physical vulnerabilities identified above can cause this impact. For example, if the pharmacy is affected by damage to its physical structures, it cannot operate efficiently.
Say, some of the equipments used to run the company’s operations were destroyed by a water leak (from the roof) and the organization lost records of the previous week’s operations, or a list of its most important contacts (such as suppliers). It would be extremely difficult for the organization to operate efficiently under such conditions. Comprehensively, the overall organizational performance would reduce (Dorantes, 2006).
Potential Vulnerabilities That May Exist In the Documented Network
The documented network is an important component to pharmacy’s operations. It contains different pieces of information which are important to the functions of the business. Meghanathan (2010) explains that the documented network may contain information such as the organization’s IP address, or even its hardware configuration. The documented framework is prone to different security vulnerabilities.
Worker incompetence is one such vulnerability because unqualified workers are likely to cause many errors to different processes in the documented framework. For example, the documented framework needs regular maintenance processes which need to be undertaken by qualified personnel.
Similarly, qualified personnel should be able to troubleshoot any problems associated with the network without much difficulty (Meghanathan, 2010). However, if the personnel employed do not know how to conduct or oversee such activities effectively, the reliability of the documented framework may be flawed.
The failure to regularly update the documented framework is also another basis of vulnerability which needs to be regularly checked. The documented framework works through an ever-changing system which is informed by the changing activities in the operating environment.
For example, the pharmacy engages in different activities (which change by the day) and therefore they need to be updated regularly to the documented network. The failure to update the changing variables in the security system poses a threat to the reliability or even the validity of information provided by the network (Meghanathan, 2010).
Potential Impact of All Identified Logical Vulnerabilities to the Network and the Pharmacy
The impact of the previously mentioned logical vulnerabilities stretches far and wide (throughout the organization’s operations). Many of the logical vulnerabilities identified in this paper center on human failures to protect the system. One possible impact of the logical vulnerabilities identified in this paper is time-wastage. An organization’s time is precious and most of it should be used to improve the operations of the business as opposed undertaking activities which do not profit the organization.
The failure to prevent unauthorized access to administrator privileges or the failure to regularly update the antivirus software can lead to a lot of time wastages if an attack occurs. For example, if there is a security breach and vital information is stolen, an organization may spend a lot of time trying to recover information at the expense of improving the organization’s performance. Therefore, the activities of an organization can be interfered in this regard and a lot of time wasted (Whitman, 2010).
The failure to regularly update antivirus softwares can also severely affect the functionality of the pharmacy’s system (if it is not detected in good time). This oversight can also lead to the spread of new and dangerous elements to the organization’s systems including dangerous softwares, Trojan horses, or even viruses.
These malicious codes may destroy or alter systems, including electronic protected health information (ePHI). These security threats are real and they may pose a severe danger to the functionality of the systems (Whitman, 2010).
Finally, this paper identifies errors of omission and commission as possible elements contributing to logical vulnerabilities. Similarly, this paper identifies the lack of physical safeguards to prevent unauthorized personnel as another element contributing to logical vulnerabilities. These logical vulnerabilities may lead to the loss of trust in an organization (Whitman, 2010). Many organizations operate on the basis of a shared trust with not only their customers but other stakeholders as well.
For example, if a bank is prone to information security breaches, customers may lose confidence in it and decide to bank their money elsewhere (because of fear of loss). A pharmaceutical company also suffers the same risk. Any of the identified logical vulnerabilities can result in such an impact.
However, the impact is more severe if information security breaches happen frequently. In addition, considering the fact that the nature of the pharmacy’s operations is sensitive (health-related), the impact of a security breach may be disastrous if not life-threatening. Indeed, a security compromise of the organizational operations may have a far-reaching impact on the activities of the organization and the health of everybody who depends on it (Tipton, 2011).
Dealing with the Risks (Physical Vulnerabilities and Threats)
So far, we have seen that acts of nature and environmental threats (which may be caused by the location of the pharmacy in the shopping mall) constitute the most notable physical vulnerabilities and threats to the pharmacy. To deal with the risks caused by acts of nature, secondary data storage devices need to be used to back up any data that may be lost because of the destruction of equipment.
These secondary data storage devices should not be stored near the pharmacy because if an act of nature occurs, they may be destroyed alongside the store’s equipment. Preferably, it would be wise to use cloud computing services to store such data because it is safer this way. The destroyed equipment can later be replaced and the stored data reinstated back to the systems (Whitman, 2010).
Dealing with environmental risks arising from the operations of the shopping mall is however a tricky affair. The pharmacy may not have direct control over maintenance services in the mall and therefore, it is highly vulnerable to different security threats such as loss of power or water leaks.
To deal with the risk of power outages, it is important for the pharmacy to have a backup power system. Similarly, it is important for the pharmacy to undertake further renovation to its premises so that it can prevent the contamination of its equipment from water leaks and similar risks. Preferably, it would be better to locate its technology equipment in a tamper-proof room (Whitman, 2010).
Dealing with the Risks (Logical Vulnerabilities and Threats)
Different logical vulnerabilities and threats have been identified to pose a risk to the security of the pharmacy’s information systems. The threats identified are equipment theft, loss of information and the launch of malicious codes on the pharmacy’s data network. Consequently, we have also established that these risks pose different vulnerabilities.
The vulnerabilities associated with theft or losses are the failure to use power-on passwords and the loss or malfunction of tracking devices to recover stolen equipments. The second groups of vulnerabilities (associated with the threat of malicious codes) are the lack of regular updates to the antivirus software and the easy access to administrator privileges so that users can easily access the system and turn off the antivirus software. These vulnerabilities can be managed differently.
Dealing with such logical vulnerabilities and threats is difficult. However, insuring against such risks is a practical strategy that can be adopted by the pharmacy to deal with such risks. This measure may be unpopular among most organizations but it is informed by the fact that it is difficult to completely eliminate all logical vulnerabilities or threats. This measure also works to protect the pharmacy against all the logical risks and vulnerabilities identified (Whitman, 2010).
Controls (Logical Vulnerabilities and Threats)
Administrative
To mitigate the probability of workers making errors, strict supervision should be given to employees who have direct access to the system. This way, workers would be more careful while using the system. In addition, to prevent the theft of equipment and the unauthorized access to the pharmacy’s equipments (data) a security guard should be placed at the entrance of the room having all the equipments.
Preventive
To protect the pharmacy’s vulnerability against unauthorized access to data, file encryption tools can be used (Walsh, 2012, p. 17). File encryption is an effective way of protecting stored data. This security control will also protect the organization against the threat of accessing data from stolen equipment.
Detective
To prevent the unauthorized access of users to the organization’s information, procedures for auditing users can be introduced to the pharmacy’s systems so that unauthorized users are easily detected. In fact, this security control should be launched alongside another security control that lock’s out a user’s account once it is detected that the user makes five (or so) unsuccessful log in attempts (Walsh, 2012, p. 17).
To detect the theft of equipment, CCTV cameras should be installed in the premises and finally, to detect any human errors on the company’s systems, regular checkups should be done to verify that all the information is accurate.
Corrective
As a corrective measure against the theft of equipment, a tracking device can be installed in all equipments so that they are easily traceable. To correct errors of omission on the company’s financial books, a contingency fund should be established. Finally, to correct security breaches, the information stolen should be changed immediately so that it cannot be used against the organization.
Controls (Physical Vulnerabilities and Threats)
Administrative
To control physical threats caused by acts of nature, it is important to have a risk management plan to minimize the effects of such risks occurring. Indeed, it is impossible to prevent acts of nature from occurring but the pharmacy should have a risk management plan stipulating what needs to be done in the event that such risks occur (Christoffersen, 2011). The risk management plan will change the entire business paradigm to make the pharmacy operate in a “risk-aware” way.
As opposed to limiting the activities of the organization, the risk management plan will enable the organization to operate in an effective way while still being able to protect is infrastructure and property. This security control also protects the pharmacy against other physical vulnerabilities and threats caused by its environment.
Preventive
A preventive measure that can be taken to protect the pharmacy against the impending physical threats and vulnerabilities is to reinforce its structural framework so that it cannot be severely affected by acts of nature or the complementary environmental risks
Detective
Detecting the physical threats and vulnerabilities discussed in this study is difficult. However, the pharmacy can rely on scientific tools such as environmental forecasts (for acts of nature) and any breakages or cracks to the infrastructure of the building to pre-empt any disasters (or environmental threats) (Christoffersen, 2011).
Corrective
As a corrective measure, the pharmacy can have a standby team to repair any physical damages made to the building (to correct environmental threats). Similarly, the pharmacy can have a contingency fund to finance the replacement of its equipment if any damages are realized (Christoffersen, 2011).
Conclusion
Different risks and vulnerabilities surround the activities of the pharmacy. However, the key to deal with such risks and vulnerabilities is to pre-empt them. This paper provides a guideline of the risk controls and measures that may be taken to achieve this outcome. The main success factor for this entire process however lies in the proper implementation of these plans. Through such plans, the pharmacy can operate in an optimum way but completely aware of the risks surrounding its operations.
References
Christoffersen, P. (2011). Elements of Financial Risk Management. London: Academic Press.
Deswarte, Y. (2004). Security and Protection in Information Processing Systems: IFIP 18th World Computer Congress : TC11 19th International Information Security Conference, 22-27 August 2004, Toulouse, France. New York: Springer.
Dorantes, C. (2006). The Impact of Information Security Breaches On Financial Performance of the Breached Firms: An Empirical Investigation. Journal of Information Technology Management, 17(2), 13-20.
Genser, M. (2010). Trustwave Launches Physical Security Testing. Web.
Meghanathan, N. (2010). Recent Trends in Network Security and Applications: Third International Conference, Cnsa 2010, Chennai, India, July 23-25, 2010 Proceedings. New York: Springer.
Tipton, H. (2011). Information Security Management Handbook. London: CRC Press.
Walsh, T. (2012). Security Risk Analysis and Management: An Overview (Updated). Web.
Whitman, M. (2010). Management of Information Security. London: Cengage Learning.