Home Emergency Preparedness Links Donate Now

Emergency Preparedness FMJ Article

Computer Risk Management

Facility management, computer risk management and disaster recovery

Hermann Gruenwald and Eren Erdener

The recent assaults on high-profile, business-to-consumer Web sites, such as Yahoo, e-Bay, Buy.com, CNN.com, Etrade and others resulted not only in revenue losses ranging from millions to more than a billion dollars and disenchanted consumers, but alerted businesses that they are not invincible. Not only have the benefits and business opportunities of the Internet pervaded our lives, but so has its darker criminal side.

The incidents we have recently seen are but one form of DoS (denial of service) attack: the flooding of a network with bogus traffic. The bogus traffic can be generated by one or more attackers or by executing code planted on the servers of several unsuspecting companies. Misconfigured computer routers are likely to lie at the center of the most recent problems. Computer vandals managed to deposit attack programs on third-party sites, then use those sites to attack their targets. This increasing security dependency of one Internet site on the security of other sites caused President Bill Clinton to convene a meeting of government officials, Internet companies and Web site providers to discuss the “long-term plan” to prevent distributed denial-of-service attacks.

With computer systems increasingly under attack, it is no wonder that people are starting to take computer security more seriously. Computer risk management protects your computer and everything associated with it—your building, your network, peripherals, disks and tapes. Most important, computer security protects the information you have stored in your system (Russell and Gangemi, 1991), including the FM systems information and the related files concerning: space inventories (alphanumeric and graphic data), facility and space planning data, cost data, lease management data and asset inventories management data. How is your company dealing with computer risk management? Do you have a disaster recovery plan for computers and communication resources? A disaster may be defined as “an interruption of mission-critical information services for an unacceptable period of time” (Toigo, 1996, ). The disaster recovery planning process requires the following steps:

1. Project initiation;

2. Risk analysis;

3. Strategy development;

4. Plan implementation; and

5. Support and maintenance

Responding to a disaster potential before it becomes a disaster is the first objective of disaster recovery planning. The second objective is to minimize the costs associated with disaster potentials that cannot be eliminated.

Risk analysis is the most misunderstood activity in disaster recovery planning. Among the first tasks of risk analysis is threat assessment within the context of the company’s physical location, support infrastructure and prevention capabilities to establish the company’s exposure.

Computer criminals are no different from the common criminal, but they are a new breed of terrorists who operate remotely with relatively inexpensive, easily accessible technology.

The next question is, what are the potential targets within the corporation? Will it the headquarters building, the manufacturing plant or a remote data center? Will the attack be executed remotely through communication and computer systems, or from within through social engineering of employees?

What countermeasures are currently in place in terms of physical security, and electronic surveillance/detection? The answer will lead to a clearer udnerstanding

of the existing situation, but still does not determine the risk. All kind of number games can be played in determining the risk level. Most companies underestimate the risk until something happens. Despite average revenue in excess of $1-billion for Fortune 1000 companies, more than 40 percent of them spent less than $1 million per year on security, according to Forrester Research in Cambridge, Mass. In an increasingly interconnected e-commerce world, time has a different meaning. Certainly you can not eliminate all risks, but how well are you prepared to recovery quickly from disasters?

Computer criminals are no different from the common criminal, but they are a new breed of terrorists...

FMJ
About the authors:
Hermann Gruenwald, Ph.D., AIA, is a visiting associate professor at the Michael F. Price College of Business, University of Oklahoma, Norman, Okla., USA.
His research focuses on e-commerce and computer risk management.

Eren Erdener, Ph.D., AIA, an IFMA member, is an associate professor of the College of Architecture at the University of Oklahoma in Norman, and his research interest is in facility management.