Threat 6 – Internet failure
Businesses use many different types of communications internally and externally such as post, email, telephone, fax etc. The most efficient way to communicate is by email as it is instantaneous and can also send documents. If the Internet connection at CosmoLabs was to fail they would be unable to send emails to clients with test results in, unable to send internal emails and reports to upper management and wouldn’t be able to reply to any queries or comments sent in by email regarding tests, facilities or prices. The affect this would then take on the business is dissatisfied customers, possibly losing potential customers and being a massive pain to staff if emails are widely used to communicate internally.
This disaster could arise from any number of electrical problems which will only take minutes to fix, or it could occurs through someone breaking a server accidentally or intentionally. It could also arise through no fault of your own but of your Internet providers that is out of the companies control or it could arise through a power cut and result in none of the computer being operational through lack of power.
To avoid this risk it would be advisable to have a backup power source (as discussed earlier) and also have back up servers in case one or more go down. It is impossible to have an Internet provider that is capable of providing you with Internet 100% of the time, so this risk like all the above is impossible to completely avoid, all that CosmoLabs can to is to prepare for if it does.
If CosmoLabs lost its internet connections there are several things which must be done to try and regain it, firstly check to see if the problem is on your end or with the internet provider, then phone the internet provider and enquire to why you have lost the internet, after those steps have been taken CosmoLabs must inform they customers via phone and if any test results or documents were due to be sent via email today give the customer a choice or either wait till the internet service returns or sent it via post.
Physical threats
Threat 1 - Natural disasters
Natural disasters are a threat to business due to fact if one was to occur it would have a severe impact on the business market based which would result in severe implications such as business disruption and temporary unemployment financial loss of the company, which could result in the company collapsing, as they cannot further operate sufficiently. Furthermore it would also have a non-market based impact such as catastrophic event on the company as it may result in injured or fatality of staff. A fire can also cause excessive damage to the companies’ buildings and physical facilities which could be destroyed.
Threat 2 – Theft and vandalism
Additional threats can be listed as theft which can be carried out in various forms such as a breach and theft of company information such as an outsider hacking into the system or a corrupt employee obtain information to unlawfully use it for his or her own purposes. In addition theft of company hardware or software data which could contain important company plans such as financial records and future projects.
Threat 3 - Fires
If a fire occurs the onsite fire department can respond more rapidly than an external fire department because they will need time to get to the site and fight the fire. Also staff members can move to pre assigned gathering points where safe so they can be accounted for and kept safe. In Addition a sprinkler system would help to minimise any damage done to any important data and help to reduce overall damage.
Internal fires can be dealt with in several ways depending on what is causing the problem. Appropriate cooling systems should be put in place for machinery that generates heat to reduce the risk of fires occurring from them. Staff members will require training in fire prevention to reduce the likelihood of them causing a fire. If fire doses occur then staff members will need to know what to do in this situation and important documents, data and test items will require protection from the fire.
These will involve the use of fire detection equipment and the use of fire prevention equipment. An example of this is an onsite fire department where trained fire fighters are there and ready to deal with any fires that appear.
Threat 4 – Single access to site
The barrier and one access are a risk because they could get blocked or the barrier could break down resulting in reduced or no access to the company.
Threat 5 – No backup power supply
The power outage presents a high risk because many test items require refrigeration also large amounts of data is stored on computers which will require a constant power supply whilst in use.
Threat 6 – Collapsed trees
If one or more of the trees was to collapse along the drive this could delay staff and test samples getting to the facility, which could result in delayed results, which in turn could invalid the tests. Also if the single access was blocked and an emergency occurred inside it would block access to emergency vehicles, which is a hazard in itself. In a worst case scenario a tree could collapse onto a delivery van and result in lost samples and/ or death or injury to the driver. If either one of these materialise it would be bad publicity which no company needs and would affect their public image. If one of the trees directly surrounding the facility collapsed it may break machinery, equipment or injure employees. In the time these risks are being correct the business has lost valuable resources which can’t be easily replaced and when they do get replaced it as at great expense to the business. Even if a tree collapses around the compound but avoids hitting anything it can still be a hazard for vehicles and will still cost the business money to move. This is high-level risk with a low chance of occurrence.
Threat 7 – Postal Strikes
This is a major problem for CosmoLabs as if they samples are delayed it will delay testing, delay results and properly cause some disruption in the day to day running of the business. It isn’t just samples which are sent via post but also general mail including customer queries/complaints, invoices, cheques from customers etc If these are delayed the problem isn’t a big as if a sample is delayed but it may cause some frustration within the business.
Human threats
Threat 1 - Labelling
This threat could produce a massive loss in revenue for the company as time and resources could be wasted if correct procedures were not in place to avoid such a threat. The likelihood of this threat occurring could be at a medium level.
Threat 2 - Data Entry Error
Mainly human error but the repercussive effects are disastrous with timescale, resources and revenue being affected. Without correct training given the probability of this threat happening is high.
Threat 3 – Misuse of Data
This threat could endanger more than just the business but could also endanger potential victims of fraud. There is a low probability of this threat occurring.
Threat 4 - Pandemic
This could bring potential loss of human life, revenue of business, customers of the business, or even potentially a global domination. The chance of this threat happening is low but would have disastrous effects if ever it did.
Threat 5 – Contamination of Samples
This threat is not only dangerous to consumers but to the trade of the business and employees. This threat would have a medium risk due to the speed samples are needed to be split.
Threat 6 – Animal rights activist
The main threats that the animal rights activists pose CosmoLabs are
The facts that because CosmoLabs are based in a discreet location which means that it may come under attack from known and unknown sources, it would be very difficult to discover which part of the location is the primary target of the attack and also because there are loads of trees, this can be potentially and highly dangerous because trees can easily be cut down and set ablaze, basically all the parts and surroundings of CosmoLabs that has some sort of shading in particular the woodland areas needs to be cut down to eye level in order for there to be clearer vision of any sudden unexpected movements in the surrounding areas.
In terms of the greenhouses there are at the main entrance they need a lot of protection, some barriers and fences to protect them, from any imminent attacks. There are others that CosmoLabs can subdue and prevent any further attacks, because there members of staff clock in and out frequently, this poses a security risk because any of those staff members could be recruited by the animal activists, what should happen is that the CosmoLabs management should make it so that the only times and situation whereby employees clock out is when there shift is over.
There are other areas that needs to be examined, such as in terms of the delivery of the samples that needs to be tested and passed on to the necessary associated laboratories by making it so that each delivery is accompanied by some form of security and when posts, letters, and parcels are being received by courier services, parcel carriers or the post there needs to be security placement to make sure that no unspecified packages that may be of any threat to CosmoLabs are cleared by the security personnel.
Countermeasures
Electrical/IT/Security
Threat 1 - Viruses
In Addition the viruses risk can be avoided by using security software like virus scanners and firewalls that will prevent or at least reduce the chances of data breaches from outside the company. Also different staff levels should be used within the company to allow staff members to access only the data they require to reduce any breaches from within the company.
Threat 2 – IT developed in house
Rather than being reliant on the person that developed the software in house, it would be best to get a company to develop the software because a company can provide help at all times, even if the person who wrote the software disappears.
Threat 3 - CCTV
In order to avoid this type of tragedy CosmoLabs should have other CCTV locations that are situated in prime positions all around CosmoLabs laboratory surroundings, so that all activities taking place at the laboratory will be taped and documented for future reference.
Threat 4 – Reliant on one system
The best way to prepare for this risk is to back up data frequently (daily) at an external business so that in case all the company data was lost it could all be recovered from a different business, this is also affective when retrieving data after a natural disaster. Another option is to have a duplicate system installed so that if one crashes or gets hacked the business can run off the parallel system whilst the other one gets fixed. However if a power cut occurs and the first system goes down the second one would also so this is another reason to get a backup generator capable of support the whole business.
If this risk materialised in CosmoLabs at the current time the only thing they could do is run tests based on guess work or not carry them out and just try and carry on with a possible loss of data. However if the techniques mentioned above were put in place then CosmoLabs can run off a parallel system whilst maintenance is being carried out of original system or get data from the external company.
Threat 5 - Hackers
The first step if it occurred would be to find out how they managed to enter your system and block off that access to stop other potential hackers. The next step would be to find out what damage had been done and how to fix it and the final step would be getting the business back up to an operational standard. Whatever server or system that was hacked should be replaced as soon as possible as you can never be sure that the intruder didn’t plant some bug in your system. It is also advisable to rotate or completely change passwords on a monthly basis.
Threat 6 – Internet failure
To avoid this risk it would be advisable to have a backup power source (as discussed earlier) and also have back up servers in case one or more go down. It is impossible to have an Internet provider that is capable of providing you with Internet 100% of the time, so this risk like all the above is impossible to completely avoid, all the CosmoLabs can to is to prepare for if it does.
If CosmoLabs lost its internet connections there are several things which must be done to try and regain it, firstly check to see if the problem is on your end or with the internet provider, then phone the internet provider and enquire to why you have lost the internet, after those steps have been taken CosmoLabs must inform they customers via phone and if any test results or documents were due to be sent via email today give the customer a choice or either wait till the internet service returns or sent it via post. For internal communication any documents or reports which need to be delivered to management or a different building should be printed off and delivered in person.
Physical threats
Threat 1 – natural disasters
Earthquakes as you cannot prevent earthquakes there are guides that can be put into place to reduce the impact and damage on the company such as preventing furniture from falling by securing large items like cupboards, wardrobes, refrigerators, and TVs with sturdy metal fasteners to keep them from falling. In addition using protective film to prevent flying glass which could cause injuries during and after an earthquake which will save injuries and possibly lives. Additionally by removing objects in hallways or near exits goes a long way as, preparation for an emergency where it becomes necessary to secure an exit route, by not leaving items in hallways or near exits which will enable individuals to evacuate the building in an earthquake if fallen furniture or storage is blocking the exit way.
Landslides can be prevented by planting deep rooted plants along the suspected slide area. They will take root and grow deeper anchoring some of the soil around the roots. In addition drainage is also a big issue as flowing water during a storm on a hillside will cause a slide eventually. This can be prevented redirecting that flow or provide a way for the water to pass through like a manmade creek bed running down the hillside. As long as there's plenty of vegetation, a slide is not likely to take place.
Hurricanes there are several ways to prevent severe damage to the company by installing hurricane tie downs as roofs often go first in severe storms. Metal tie-down straps can keep roof rafters tied to the top wall of the house this prevents uplift during a hurricane's high winds. Straps can also secure walls to floors and keep floors tied tight to foundations.
Threat 2 – Theft and vandalism
These types of thefts can result on having a severe impact on the company as a result in a loss finances which could affect the day to day running of the company. However to prevent these risks there are risk assessments that should be put into place like the following:
- Prevent unauthorised access to programs and data by making sure the system is password protected.
- Set up a firewall for the Internet connection.
- Make sure the computers have anti-virus software installed and that these programs are kept up-to-date.
- Back up the information and store backed up information away from its normal work place in a secure, fire-protected environment.
- Ask staff to be careful when opening suspicious looking email attachments.
- Train staff to set up secure passwords (containing letters, numbers and punctuation).
- Train staff to change passwords regularly and to keep these passwords secret.
- Train staff to be careful in their email and Internet usage and to refrain from sharing data or personal information online.
In addition to prevent theft of hardware and software computer devices should be locked to the workstation, furthermore software data should be encrypted so only a few company employees are able to access it.
Threat 3 – Fire
There are two ways fires can affect the business. These are external fires and internal fires.
External
External fires can have a huge effect on the business and its continuity. Either way these will have to deal with because they will affect the business continuity. This will result in the company having to delay or even cancel scheduled tests. This will also affect other companies because they depend of the tests being carried out by this company. It will also result in increased costs to repair any damaged facilities or equipment or buildings. Also it will harm staff members if they are not adequately aware of proper fire procedures or kept away from fires.
To help avoid the natural fires risks measures will have to be taken to help avoid fires. These will involve the use of fire detection equipment and the use of fire prevention equipment. An example of this is an onsite fire department where trained fire fighters are there and ready to deal with any fires that appear. To help protect data stored on papers on computers they could be kept within fireproof safes to reduce the damage to them in the event of a fire and this can also be used for paper documents as well. Also staff can be protected by providing training staff so they know what do in the event of a fire and what not to do.
If this risk occurs the onsite fire department can respond more rapidly than an external fire department because they will need time to get to the site and fight the fire. Also staff members can move to pre assigned gathering points where safe so they can be accounted for and kept safe.
Internal
As well as external fires there are internal fires which can be just as damaging on the business continuity or even more damaging because it is closer to important data or test material. These will have to be dealt with as well because it can seriously effect tests and harm staff members. Also it can damage the buildings which will cost the company money and time to fix.
Internal fires can be caused by various things like the kitchen in the guard’s office or by an employee’s negligence when carrying out tests. In addition due to staff negligence fires can be caused within the company labs and will also need to be dealt with. Activists could send devices to the company that may cause damage to the company and affect continuity. In addition any machinery that creates any amount of heat can also be a fire hazard and will possibly harm staff members or effect business continuity.
This risk can be dealt with in several ways depending on what is causing the problem. Appropriate cooling systems should be put in place for machinery that generates heat to reduce the risk of fires occurring from them. Staff members will require training in fire prevention to reduce the likelihood of them causing a fire. If fire doses occur then staff members will need to know what to do in this situation and important documents, data and test items will require protection from the fire.
Threat 4 – Single access to site
Due to there being only one access to the company this poses a risk because, there can be a natural disaster that can block the access. In addition, protesters could block the one access as well. This will affect the business because they will not be able to gain access to the company or they will not receive deliveries or receive them late and as some are refrigerated this can cause some damages to test samples. In addition, the gate can malfunction since it is an automated gate and will result in blocking access or allowing access to the company.
One solution for the barrier risk could be to have a manual override for the gate so it could open by hand instead of automatically. However, some more security measures will have to put into place to stop people outside from opening the gate without being authorised. Another solution could be to have a smaller gate just for people to pass through and to stop vehicles from getting in.
With these changes, this risk is vastly reduced so it is very unlikely to happen. However if it does happen a second access should be used to get in and out of the company.
Threat 5 – No backup power supply
The power outage risk can be avoided by the use of a backup power supply like generators or a backup connection to the grid. Another way of avoiding this risk is to use generators on site that will provide enough power to keep refrigerated samples cool and to keep the business running to reduce the impact on customers.
Threat 6 – Collapsed trees
This risk can be avoided by cutting the bushes back frequently (monthly) along the single access and around the compound. It is also suggestible that a fence or ditch is put in around the entire compound to stop falling trees and any wildlife that may try and enter the compound. May also want to consider having another entrance put in place in case the single access gets blocked and staff needs to enter or exit the compound.
If the perimeter was severally overgrown and specialised landscapers or forestry workers had to be called in to clear it this risk would take 2 – 3 days to fix however if steps to prevent overgrowth are taken it should be ok. If a natural disaster materialises and several trees collapse over the entrance and around the facility the priority would be to clear the access to allow any emergency vehicles thought if they are required. In order to do this the trees would either need to be dragged from the entrance to a different location or cut up if the trees if they are too big to be dragged by a vehicle of some description. This again would require the help of someone like the forestry commission to do this so it is advisable to have there number stored in a safe place. Once this is done, emergency vehicles would then have access to assist anybody that is injured, once that has been done the other trees which collapsed in the compound can be cleared. However if a tree as collapsed on machinery or a building the priority is to make sure operators are safe and healthily.
Threat 7 – Postal strikes
Unfortunately they is nothing CosmoLabs can do to stop post office workers from going on strike. The best way to avoid delays in the post is to both post items and letters of importance a few days in advance or for all the important deliveries make sure that reliable and efficient parcel couriers are used.
If the postal workers do go on strike or post is delayed for whatever reason they is not a lot you can do besides explain the problem to the client/customer and apologise for any delay or inconvenience causes.
Human threats
Threat 1 – Labelling
Appropriate training could be given to minimise the possibility of human error whilst in the workplace. Also stock and equipment needs to have regular checks to ensure there is adequate levels of stock of needed to complete the procedures. Lack of supplies could lead to other measures being taken which are not appropriate for the business for example no labels could lead to verbal labelling where the samples are taken to next department and verbally told what they are which would lead to confusion.
Threat 2 – Data entry error
Correct training and shift rotation would reduce the risk of incorrect data being entered into the system, also another countermeasure would be to get each set of data checked by another colleague but that would result in human resource being taken where it could be used toward the daily workload. There could be a bespoke piece of software written which could use check constraints whilst data is being entered giving the user no margin for error.
Threat 3 – Misuse of data
This threat could imply security breaches with the acquisition of personal or company data for personal gain or just simple chit chat in the local pub but such talking could get data into third parties hands without the person knowing its happening. Such incorrect use of data could be disastrous if the media gained knowledge of it as the media could make implications just to create a story. All important data should have restricted access and only those who have permission should be able to access such data, data is one of the biggest commodities a company could have.
Threat 4 - Pandemic
A pandemic could start without the knowledge of any individual, the disease could leave the grounds of the company by all manner, the only true way to minimise such a disaster happening would be to take precautions at the exit of every building. Hand sanitizers could be made compulsory upon the entrance and exit of any building. Just something as simple as a window open in a laboratory could jeopardise the safety of any potentially contained bio problem, the wind could blow bio particles around leaving a greater chance of any possible outbreak happening.
Threat 5 – Contamination of samples
Samples could get contaminated in a number of ways so to prevent this from happening strict guidelines must be followed to reduce the risk of contamination. The contamination of a sample would need to be disposed of in the correct manner according to the set guidelines.
Threat 6 – Animal Rights Activist
The risk can be avoided by CosmoLabs making sure that all the necessary steps have been taken in order to contain the animal rights activists, also for the animal rights activists to know that what they’re doing is wrong by the CosmoLabs having the public relations expert fully explain to the animal activists that their concerns are being dealt with in the best way possible. New policies can be introduced so that the animal rights activists will not have any need to protest at the CosmoLabs laboratory, such as for there to be constant police presence in order for the protester to know that CosmoLabs are not taking the situation in which they have been placed in lightly, and also for there to be some form of barricade that will be used to prevent the animal rights activists from entering the CosmoLabs compound, to add a more extreme measure that could be taken in order to deal with the animal rights activists is to have them all arrested for trespassing.
Recommendations
Electrical/IT/Security
Threat 1 – viruses
Due to some data being stored on computers there is an added risk of hackers and viruses which can affect this data and possible compromise the companies’ security and privacy. This can affect the continuity of the company because they will need this data for tests or to send the results to customers who have sent items to test.
This risk may occur due to inadequate data security on the computers which will leave the data vulnerable to attack. Also this would be a breach of laws, the data protection act 1998, that make companies protect all their data within the company as a result the company can be legally viable for any data breaches which can effect continuity and cost the company a lot of money.
This risk can be avoided by using security software like virus scanners and firewalls that will prevent or at least reduce the chances of data breaches from outside the company. Also different staff levels should be used within the company to allow staff members to access only the data they require to reduce any breaches from within the company.
If these risk doses occur then the data breaches must be closed instantly to try and stop it. Also if a staff member access data that they were not meant to access then someone must be alerted to this and deal with it as it happens.
Threat 2 – IT development in house
Tailor made “Bespoke software development”
The company could decide on outsourcing their requirements, needs and specifications by having programmers brought in externally to build the business software with which they require. This means the outsourced programmers will have to offer long term support and maintenance.
Tailor made “Bespoke systems development”
Advantages
- In “assembling” a bespoke application, the amount of code that has to be written from scratch is small – this saves programming time and simplifies testing and debugging.
- The modules are written by specialist programmers, are often extremely sophisticated and are constantly evolving. This means that it is possible to develop cutting-edge applications today that can be readily upgraded in the future.
- Improves your company's data storage and retrieval capabilities
- Improves the way in which data can be reported - either on screen or printed
- Grow the system according to your company's needs or budget
- The design is precisely as per the your requirements; no more, no less
- A single integrated bespoke system can do the work of a number of individual off-the-shelf packages. This means that training need only be carried out on a single package.
Having a bespoke application developed for you can potentially provide you with major business and commercial benefits and allows your business to gain significant competitive advantages. Bespoke applications are generally easier to use and can work around the way you do business, rather than the other way round. However, you have to expect to pay more for it than for a packaged solution (both in time and money) and it is also essential that you use a professional developer who works to industry standards and who is happy to provide you with the source code to your application and on-going support for the package.
Threat 3 – CCTV
The main purpose of the closed circuit television within is for:
- Protecting the health and safety of employees, and visitors at the laboratory.
- Monitoring the security of the laboratory and the sites around it.
- The prevention, investigation and detection of disciplinary offences being posed by activists of any norm.
- The identification and disciplining of individuals who breach College policies.
- Assisting in the traffic management of the laboratory and the monitoring of traffic movements and parking in and around the laboratory.
As was previously stated the position and location of the security posting of the CCTV is very important which means that there needs to be more than CCTV location both on site and off site.
The positioning of the CCTV location needs to cover all the blind spots in order for the full security features a CCTV implementation has to offer has to be realised. The area needs to be cordoned off so that any unexpected movement will be immediately be detected.
The CosmoLabs security Manager should be made accountable for the following CCTV procedures:
- Ensure that the installation and operation of the CCTV system complies with the CCTV Code of Practice issued by the Office of the Information Commissioner.
- Ensure that the system is maintained and repaired when necessary.
- Deal with any complaints regarding the operation of the CCTV system and ensure that they are dealt with under the terms of the laboratories internal complaints procedure.
- Retain images for evidential purposes and ensure they are kept in a secure place to which access is controlled.
- Ensure that the notification lodged with the Office of the Data Protection Commissioner covers the purposes for which this equipment is used.
Actions to Implement and Develop the Policy
The principles of operation of the CCTV system are:
- The CCTV system is provided for the benefit and protection of the public and the CosmoLabs employees and equipment’s.
- The CCTV system will be used for the protection of people subject to harassment or intimidation, monitoring of vehicle and pedestrian traffic and the maintenance of goods orders being delivered to the laboratory.
- The recording medium will be overwritten and any copies destroyed after 31 days unless required as evidence in Police or internal disciplinary or civil proceedings.
On removing the medium on which the images have been recorded for use in legal proceedings, the Security staff and/or the Physical Security Manager will ensure that they have documented:
- The date on which the images were removed from the general system for use in legal proceedings.
- The reason why they were removed from the system.
- Any crime incident number to which the images may be relevant.
- The location of the images.
- The signature of the collecting Police Officer or other Government agent where relevant.
CosmoLabs may release recordings to the Police or other authorised Government agentcies for the purposes of the prevention or detection of crime, the apprehension or prosecution of offenders, or in the interests of national security, or in other circumstances where the College is legally obliged to do so, or in accordance with the specified purposes of the CCTV system. The identity of individuals on the recording not relevant to the investigation or the request for access will be obscured unless the individuals have given their consent. The identity of individuals on the recording whose presence is relevant to the investigation or request for access will be disclosed if they give consent for this, and may be disclosed if this consent is refused when deemed reasonable to do so in the circumstances.
All operators and employees with access to images should be aware of the procedures which need to be followed when accessing the recorded images.
All operators should be trained in their responsibilities under the CCTV Code of Practice issued by the Data Protection Commissioner and be aware of and comply with the CCTV Policy.
They must ensure that access to, and disclosure of, the images recorded by CCTV and similar surveillance equipment is restricted and carefully controlled; not only to ensure that the rights of individuals are preserved, but also to ensure that the chain of evidence remains intact should the images be required for evidential purposes. The reason(s) for disclosing copies of the images must be compatible with the reason(s) or purpose(s) for which they were originally obtained.
All College employees with access to CCTV images should be aware of the restrictions set out in this policy in relation to access to, and disclosure of, recorded images.
Access to recorded images must be restricted to staff that needs to have access in order to achieve the purpose(s) of using the equipment. All access to the medium on which the images are recorded should be documented. Disclosure of the recorded images to third parties should only be made in limited and prescribed circumstances.
For example - if the purpose of the system is the prevention and detection of crime, then disclosure to third parties should be limited to the following:
- The Police and other authorised Government agencies where the images recorded would assist in a specific criminal enquiry.
- Prosecution agencies.
- Relevant legal representatives.
- The media, where it is decided that the public’s assistance is needed in order to assist in the identification of victim, witness or perpetrator in relation to a criminal incident. As part of that decision, the wishes of the victim of an incident should be taken into account.
- People whose images have been recorded and retained (unless disclosure to the individual would prejudice criminal enquiries or criminal proceedings)
All requests for access or disclosure should be recorded. If access or disclosure is denied, the reason should be documented.
If access to or disclosure of the images is allowed, then the following should be documented:
- The date and time at which access was allowed or the date on which disclosure was made.
- The identification of any third party who was allowed access or to whom disclosure was made. The reason for allowing access or disclosure.
- The extent of the information to which access was allowed or which was disclosed.
Recorded images should not be made more widely available – for example they should not be routinely made available to the media or placed on the Internet.
If it is intended that images will be made more widely available, that decision will be made by the Principal. The reason for that decision should be documented.
If it is decided that images will be disclosed to the media (other than in the circumstances outlined above), the images of individuals not party to the investigation will need to be disguised or blurred so that they are not readily identifiable.
Threat 4 – Reliant on one system
Have several different computer systems that back up each other and are also connected to several different servers located at different locations which back up the data and information held in those computers. Their also the security part of the backup of information there needs to be encrypted firewall which will provide extreme security against hacking attacks from the animal rights activists supporters.
The installation and implementation of the new computer systems that are backed up by servers that are in a safe well protected located is very important because if there are any system malfunctions, system shutdown, power surges and any other related information threatening activities then the servers would be able to store all processes that were executed prior to the shutdown activity. To add for the employees at CosmoLabs they will notice and realise that they no longer have to fear about the safety of their test data and results and also they will realise that the installation of the new computer systems and their installation has proven to be a great strategic tactical move.
It is recommended that CosmoLabs transfer data daily to an external company so it can easily be restored if the system crashes.
Threat 5 - hackers
It is recommended that CosmoLabs is equipped with the most up-to-date and effective security program within budget. It is also recommended that passwords and security codes get changed frequently; if you do get hacked it is required to replace the server that got hacked as soon as possible.
- Harden your systems (also called "lock-down" or "security tightening") by
- Configuring necessary software for better security
- Deactivating unnecessary software - disable any software that aren't needed or seldom used, as they're the most vulnerable to attacks
- Configuring the base operating system for increased security
- Patch all your systems - Intruders can gain root access through the vulnerabilities (or "holes") in your programs. Keeping track of "patches" and/or new versions of all the programs that you use, and avoid using new applications or those with previously documented vulnerabilities.
- Install a firewall on the system, or at least on the network that block unauthorised network traffic coming to and leaving a system, and give permission to transmit and receive only to user-authorized software.
We suggest the following services for Stopping Unauthorized Access, using firewalls:
- Tighten the Routers to the Internet to reduce unauthorised access
- Deploy Strong Packet Filtering Firewalls in your network
- Develop bespoke Servers or Internet services client and server software
- Assess your network from the internet to test security.
- Run a vulnerability scanner against your servers
- Monitor your network traffic
- Refer to your system log - it will reveal unauthorized services running on the system and hacking attempts
Also, more complex security checks will show whether your system is exposed through uncontrolled Internet Control Message Protocol (ICMP) packets.
When using passwords don't use
- real words or combinations thereof
- numbers of significance (e.g. birthdates)
- similar/same password for all your accounts
Use encrypted connections - encryption between client and server requires that both ends support the encryption method
- Don't use internet programs unless strongly encrypted passwords are passed over the Internet
- Never send sensitive information over email
Do not install software from little known sites - as these programs can hide malicious software; if you have to download a program, use a checksum, to verify its authenticity prior to installation. Limit access to your server(s) and limit other users to certain areas of the file system or what applications they can run.
Refrain from using systems that have already been compromised by hackers and reformat the hard disk(s) and re-install the operating system when this happens. Use Anti-Virus Software and keep your virus definitions up-to-date and complete regular scans.
Here are some of the ways by which Web hosting providers' Security Officers Face Challenges, These include:
- Looking at new products/hacks
- Regularly reviewing policies/procedures
- Constant monitoring of well-known connection routes
- Frequent installation of patches
- Protect the systems again possible attack from customers
- Investment in firewall and other security measures, including encrypted communications in the server management and account management systems
- Use of secure certificates on web sites
- Purchase and deployment of products according to identified needs
- monitoring suspicious traffic patterns and deal with by either shunting away such traffic as bad, or handling it through a content-distribution system that spreads across the network.
Threat 6 – internet failure
It is recommend that CosmoLabs have a direct point of contact with internet supplier so that if for whatever reason the internet goes down you can get in contact with someone who knows what the problem is and how long it will take to get it to an operational level again.
Physical threats
Threat 1 – Natural disasters
There are several prevention techniques that can be applied depending on the disaster such as in the act of an earthquake which however cannot be prevented but only prepared for will be by preventing furniture from falling by securing large items like cupboards, wardrobes, refrigerators, and TVs with sturdy metal fasteners to keep them from falling. Furthermore glass can be protected reduce the risk of flying glass by making use of protective film to which could cause injuries during and after an earthquake. Additionally as stated before by removing objects in hallways or near exits can help, as preparation for an emergency where it becomes necessary to secure an exit route.
We feel this is the best way to reduce the risk as earthquake cannot be prevented as they cannot be foreseen but only reduce the impact on the company.
Furthermore there are methods that on how landslides can be prevented as stated before by which by planting deep rooted plants along the suspected slide area. This will hold the surface strongly together. We believe this is a very good method to reduce the risk as other businesses have implemented this which has proven to be successful.
In addition hurricanes can be prevented and we feel that by company hurricane ties downs will go a long way as Metal tie-down straps can keep roof rafters tied to the top wall of the building this prevents uplift during a hurricane's high winds. Yet again we believe this is a very good method to reduce the risk as other businesses have implemented this which has proven to be successful.
Threat 2 – Theft and vandalism
In order to reduce the threat of theft and vandalism it is recommended that CosmoLabs increase the amount of security cameras around the facility and also carry out random security searches on personnel periodically to make sure they are not smuggling out samples or un released test results. It is also recommend that a fence is erected around the perimeter of the facility to stop outsiders coming in through the farmland to vandalism the buildings, this is also a recommendation to combat the risk of collapsed trees.
Threat 3 - Fires
External fires can be caused by natural disasters or by humans. Naturally fires can be caused by dry trees surrounding the base and set alight by a very hot day or another natural event. Humans can cause fire as an act of protest against the base because some tests will have to be carried out on animals. Also they could send devices into the company in an effort to damage the company.
Avoiding the internal fires risk can be done by using a fire detection system that alerts everyone that’s there is a fire in the company and where it is so it can be dealt with. Training the staff members in ways to avoid causing fires and what to do when a fire happens where they are working will help reduce this risk. Scanning systems can be used as well which will scan any deliveries that come to the company and will identify which ones will cause harm and possibly affect the safety of staff and the continuity of the business.
Threat 4 – Single access
This risk can occur because trees from the forest surround the one access road and these trees can fall down due to natural disasters or by protesters and block the one access to the company. Protesters may block the access because they are against some of the tests carried out on animals. Also due to a power failure, the gate would not work resulting in stopping all access in and out of the company.
Threat 5 – No backup power supply
Because of the importance of the business processes and tests, the power used is also a risk because it can be lost at any time for any reason therefore it needs to be anticipated for and dealt with when it happens. The risk of a loss of power is great because it can result in many tests not being completed in time or being delayed thus reducing customer satisfaction. This also poses a risk of losing test material that requires refrigeration.
This may happen because of a grid failure or due to a protest cutting off the power. A grid failure could be caused by human error or a natural disaster and in either case it will stop the company until it is fixed which results in a loss of profits and test material that is kept refrigerated. Also protesters may resort to cutting off the power supply which will result in the same issue as the grid failure mentioned previously.
This risk can be avoided by the use of a backup power supply like generators or a backup connection to the grid. Another way of avoiding this risk is to use generators on site that will provide enough power to keep refrigerated samples cool and to keep the business running to reduce the impact on customers.
If the power doses fail for any reason the backup supply should come in immediately therefore keep the continuity of the business.
Threat 6 – Collapsed trees
It is recommended that a fence is put in place around the perimeter of CosmoLabs and that brushes and over hanging limbs of trees are cut but on a monthly basis by an external company.
Threat 7 – Postal strikes
CosmoLabs could take out a private delivery contract with a well trusted delivery company such as Parcel Force, DHL, etc. that would last throughout the postal strike by Royal Mail in order to have the samples that they need delivered on time and intact. Also the private delivery contract could prove profitable for CosmoLabs because any losses that were incurred buy them through the unreliability of the postal strikes can easily be regained through the private delivery service.
This is very important because assuming that some of the animal rights activists are aligned with some postal workers and in doing so enforcing those postal workers to organise strike actions that would make it very difficult for laboratories such as CosmoLabs, to receive letters and parcels that contains vital testing supplies and results that are crucial to tests being done at the laboratory, then the postal strike will prove instrumental to their cause against CosmoLabs.
Human threats
Threat 1 - Labelling
Extensive training needs to be given in the area of labelling products correctly. Equipment used like handheld label printers will be used so there is no confusion of reading someone’s handwriting. All stock levels are to be checked regularly to ensure there are sufficient supplies of labels, ink etc. Staff needs to be on a strict rota system to defeat prolonged monotonously of jobs which in turn could create tiredness.
Threat 2 – Data entry error
Training needs to be provided on using a new system, I believe a bespoke piece of software that checks data constraints upon entry will drastically reduce any errors from arising in the input of data. Such software would not cost much and the benefits outweigh the cost of implementing such a new system. All guidelines of policies and procedures must be accessible to staff.
Threat 3 – Misuse of data
Passwords need to be provided to different level of staff so they can access only what they need to access, this would eliminate any misuse of data because if there were any misuse happening the system would know who logged on therefore that person could be approached. Also disciplinary actions should be taken if such an incident should arise. This user access system should be implemented throughout the company in every department.
Threat 4 - Pandemic
Each and every exit door to buildings should have hand sanitizers distributed, also in labs where samples are handled appropriate clothing must be worn and company guidelines (stated in next risk) must be followed to keep the sterile environment. Adequate facial masks and decontamination areas must be provided and regularly checked.
Health and safety not only in the work place but also within policies would ensure that any returning employee from being off sick would have to be cleared of their illness before being allowed to resume their position at work thus reducing any contamination in the workplace.
Threat 5 – Contamination of samples
There are different ways in which the contamination threat can be stopped such as by having different chemical neutralisers and observant so that if there are any indications of chemical spillage or attack, the chemical neutraliser i.e. “alarm, and persons that are of a chemical mind who know how to handle chemical disasters”. Also the neutralising of the contamination attack can be handled by various authorities who are well experienced in handling such delicate matters and also the contamination consultants should be able to know the best approach that should be taken.
The steps that must be taken are doors and windows must be kept closed in the laboratory to prevent air currents which may cause micro-organisms from surfaces to become airborne.
What follows is a general protocol for persons entering, studying, or working in a laboratory environment.
- Upon entering the lab, place all books, coats, purses, and backpacks, in designated areas, not on the bench tops or in walkways.
- Notice the location of safety equipment- fire extinguisher, eyewash, first aid kit, and broken glass container.
- Do not remove cultures, chemicals, or other materials from the lab unless permission has been granted, or the experimental procedure requires it.
- All spills and accidents should be cleared up in accordance to the specific instruction on the material’s packaging, or seek advice from a senior member of the laboratory personnel.
- Wash skin immediately and thoroughly if contaminated by chemicals or micro-organisms. Note where the eyewash and shower is.
- Use appropriate apparatus for the job.
- Upon completion of lab exercises, place all materials in the appropriate disposal bin.
- Leave the lab clean and organized.
Threat 6 – Animal rights activist
In order to deal with threat being caused by the animal rights activists, All the surrounding areas of the CosmoLabs laboratory both internally and externally should be protected with huge fences that will prove difficult for the animal rights activists to break down, and also for CosmoLabs management to cut down the trees and anything that offers any type of shading to be cut down so that any of the animal right activists that are using as a form of weapon will have no choice but to vacate those areas and also for there to be constant police presence to deter the animal rights activists and to let them know that their presence is being taken serious in doing so some of the animal rights activists who do not want to be arrested may end up backing down.
Business Continuity Plan (Fire)
Initial Response
- Receive initial notification of possible, impending, or in-progress disruption or disaster.
- Evacuate all employees from buildings to meeting point using emergency exit routes and floor plans.
- Determine the extent of the emergency. Alert appropriate emergency response organisations (fire, police, etc.)
- Identify whether anyone has been killed or injured.
- Retrieve BCP from where it is safely kept.
- Look in BCP at areas of responsibility and chain of command and notify those people to begin their duties upon a disaster.
- If some important players are absent then assign alternatives which are in BCP.
- If any emergency contact numbers are needed, these will be within the BCP. Whether they are internal personnel (CEO, CIO, legal advisor, etc.) and external personnel and services (police, fire, ambulance, security services, utility companies, building maintenance, etc.)
- Checklist employees for absentee and if casualties notify emergency services as appropriate.
- Initiate the disaster recovery team (DR) to work in conjunction with emergency services.
- Distribute appropriate masks/clothing (high visibility vests)
-
Assess communications situation and if needed distribute walkie-talkies to each team/parties.
- Notify business recovery team & corporate executives.
- Dispatch appropriate trained medical personnel to assist with triage or to manage the situation until emergency responders arrive.
- Assess damage; determine appropriate BCP/DR activation steps.
- Notify appropriate BCP/DR team members.
- Prepare preliminary event report or log. Communicate with appropriate parties.
- Alert employees of resumed services
- Retrieve data from external backup source
- Deploy backup data to new computer systems
- Complete initial testing of new system
- Resume business operations
Damage and Situation Assessment
- Review preliminary event report or log.
- Assess structural damage, health and safety impact and risks.
- Determine extent and severity of disruption to operations.
- Assess financial loss.
- Prepare final assessment and report, notify DR teams of findings.
Report or log, communicate with appropriate parties.
- Activate DR teams if they have not already been activated.
- Review recovery options based on disaster assessment.
- Select best recovery options for the situation, begin plan to implement recovery options
- Notify management and crisis communications teams.
- Prepare a disaster declaration statement that can be communicated to employees, press and local authorities, DR team and community contacts.
- Monitor progress.
- Document results in event log, communicate with appropriate parties.
- amend BCP
What a BCP must contain
Emergency Response Contact List, Maps, Floor Plans
- External emergency contact numbers: Police, sheriff, Fire, Hospital, Ambulance, Other
- Emergency response team contact numbers: Emergency response team leader, Medical staff, Evacuation leaders, Search and rescue staff, Crisis team manager and/or corporate executive contact
- Maps: Evacuation routes and assembly areas, Shelter-in-place assembly areas, Escape routes from site—primary and secondary (several options may be needed depending on disaster scenario), Floor plans, Location of fire doors, fire extinguishers, Location of utility closets, circuit breaker panels, power lines, Location of gas, electric, water lines, Location and nature of hazardous materials
Emergency Supplies and Equipment
- Depending on the size of your company, the location of the facilities, and the nature of the business, you may need other supplies than those listed. Develop a list of supplies and equipment needed. A schedule for testing needed equipment on a periodic basis. A procedure for performing periodic maintenance on equipment, and a process for performing a periodic inventory count of supplies.
- First aid supplies (portable kits, additional supplies).
- CPR training and equipment.
- Fire suppression equipment (fire extinguishers, etc.).
- Hazardous materials safety equipment.
- Hazardous materials containment and clean up equipment/supplies.
- Water, water purification tablets, shelf-stable food supplies (for shelter-in-place).
- Clothing, blankets, and other materials (injuries, cold climates, shelter-in-place).
- Emergency communications equipment (walkie-talkies, batteries, etc.).