Risk description Owner Likelihood Severity of Impact Controllability

Risk Description Owner Likelihood Severity of Impact Controllability

Unauthorized Access Internal or External access to unauthorized information through hacking or installing malware. Office of Technology Medium Medium High

Theft of Information Theft of an employee's laptop or other mobile device containing confidential information All employees and supervisors Low Low High

Employee Disclosure Employees accessing information without business need and disclosing it to other people All employees and supervisors High Medium Medium

Malicious Software Viruses installed through inappropriate internet use or mass emails causing breaches in information. Office of Technology and all Users Low Medium High

Equipment Failure System goes down preventing access to information and possibly disabling vital security Office of Technology Low High High

Breach in Transit In some instances employees travel with confidential information and there are also tape back up records that must be transported to storage facilities. There is a risk of these items being lost or stolen. Office of Technology and all Users High Medium Medium

Human Error Employees could leave out, fax, or email confidential information that could be viewed by an unauthorized person. All employees and supervisors High Low High

Disaster A natural disaster could cause loss of power, security, and access. Office of Technology Low High Low

The risk register is for some risks faced by the State of Indiana. The State of Indiana has confidential information for every resident and every business that resides in the State or does business with the State. The main risk that the State faces is loss of information. There is not a global marketplace for the State but policies are greatly affected by politics. Employees take the lead from their superiors and as always in politics these superiors can be greatly swayed by others.

The first risk is unauthorized access through hacking or placing malware in the system. Unfortunately this can happen via internal and external sources giving it medium likelihood of occurrence. Although there is no global marketplace this risk could occur globally. Hackers all over the world could try to gain access to the States information and use it for personal gain such as identity theft. The impact would be in the medium range because although the unauthorized users would gain access to information the security in place would catch them before they could get anywhere within the information. The office of technology has put many security measures in place to prevent this. There are layers of protection including hardware, software, policies, and procedures so there is a high level of controllability. In the event of unauthorized access the IT department needs cut off the access as quickly as possible and then determine how the access was granted. Once this is determined they need to ensure that access cannot be granted in this way again.

Another risk is the theft of information via an employees' laptop or mobile media device. The likelihood of this is low because these devices are usually kept in a locked office and the severity of impact is low because all of the devices require a password and the information is encrypted. There is a high level of controllability because as long as employees keep their mobile devices in the office there is very little risk of them being stolen. There are policies in place requiring employees to keep state property on the state premises to prevent theft. There are also policies against sharing of passwords that would allow others access to information on the mobile devices.

Another risk is employee disclosure. Employees have access to a large amount of confidential information including information about their friends, family, enemies, and any business they can think of. This information should not be accessed without business need and should not be disclosed to other people. The likelihood of this occurring is high because employees have unlimited access depending upon what department they work in and nothing is stopping them from taking a peek at information besides their conscience. The impact level is medium because not all information is being disclosed. Controllability is medium because training classes and information can be given to all employees regarding confidentiality but ultimately supervisors have to leave it up to their employees to do the right thing. There are policies in place regarding disclosing information and if information is disclosed the employee will lose their job. This does help prevent disclosure in most cases.

Malicious software is another risk. Internal or external users can put malicious software in place alike. It would be as easy as sending an e-mail to an employee that has the malicious attached to it and when the employee opens the email the sender can gain access to all programs and passwords used by the employee. The likelihood of this happening is low because The State has very strong spam filters and they are constantly scanning emails and files to help detect these things. The impact would be medium because if someone where successful at getting into the system they would have access to very confidential information including banking information. Controllability is high because the security systems in place can quickly catch the malicious files and stop them and email all employees to let them know what to watch out for.

An additional risk is equipment failure. Equipment failure can take the entire state down because all of the offices across the state are all tied to the same servers in the state capitol. If equipment were to fail everyone would lose access. The likelihood of this occurring is low because there are generators and backups in place to keep the state running. The impact would be high because as discussed earlier everyone would lose access including but not limited to the BMV, Child Protective Services, Department of Transportation, The State Police, etc. These divisions are mentioned because a loss of access could have very large and very real effects much faster than some of the other divisions. Controllability is high because if the proper things are put into place such as generators and back up systems the State is prepared for a failure and able to get the systems back up in a very short period of time.

Breach in transit is also a risk. Occasionally employees have to travel with their state equipment. Also all data is backed up on disks

...