"A risk assessment of the Piql Services" by FFI

is no continuous surveillance in the system to catch irregular transactions, it is not brought to light soon enough, and the information is already in the wrong hands. As the insider is a high level operator, and as such enjoys a certain level of respect from his/her co-workers, the operator is not challenged when picking up the piqlFilm from the operator port, nor do the other employees react when he/she leaves the facility with the films.

Box

The piqlBox is not affected during the theft.

The piqlFilms in question are not damaged, but they are removed without authorised permission.

Film

Power/energy supply The power supply is not affected during the theft.

Divergence from

The storage conditions of the Piql Preservation Services are not affected during the theft.

ISO standard

Security mechanisms

As the piqlFilms are not damaged during the incident, the data is not lost in the sense that it is altered. The integrity of the piqlFilms thus remains intact.

Integrity

The availability of the piqlFilms is compromised, as the information stored on them is no longer accessible to the data owner.

Availability

Most importantly for the data owner, the confidentiality of the information stored on the PiqlFilms was irrevocably compromised, as another actor who absolutely should not have had access to its contents did gain access. The loss of confidentiality also resulted in grave financial consequences for the data owner.

Confidentiality

Immunity (against attacks on the above mentioned)

The Piql Preservation Services is not immune to attacks on availability or confidentiality.

Recommendations

To mitigate the threat of the insider, the following guidelines are advised: 1. Make sure sound procedures for vetting of potential employees are in place during hiring processes. These can include full security clearance or criminal record and credit check depending on sector. 2. Perform such checks at regular intervals, not just at the start of the employment, to ascertain whether any change in circumstance has come about which can have a negative effect on the way an

Recommended protective measures

135

FFI-RAPPORT 16/00707