I need to answer these two posts and give your thoughts on it and if you agree or not, thanks.

Q2 - Second greatest threat

The second greatest threat identified was information security. The business collects personal patient information on an onsite server and a secondary cloud backup. A third-party contractor maintains the computers and the server for the business. The door to the server room is not locked. Add this to the lax building security, this poses a serious problem. The server unit sits about four inches off the floor. This is an issue because Whitewood Creek has flooded multiple times since Deadwood was formed and at least once after the building was built in the late 90's. In that flood, there was six to ten inches of standing water in the basement, were the server is located.

It is recommended that the server be relocated to a location higher off the floor, and that the server room door be locked at all times. The business does use the server room for other functions, but a keypad lock with individual codes for each employee or lock system that works with RFID keys would help secure the room from physical intrusion by a threat.

RE: Q1 - Most significant threat

The most significant threat in risk assessment is the building security. The two businesses that occupy the building split the bill on a building security system, but there are major gaps in the security system, such as the system not being activated every time the employees leave for the night. It is recommended that the business being audited, invest, and install a CCTV system. Even thought the other business in the building is not being audited, both businesses share a patient entrance that and an employee entrance on the side of the building that faces the back parking lot and Whitewood Creek. The doors remain unlocked during business hours. The employee entrance does not have an attendant and anyone can enter without resistance. The main patient entrance is, also, not viewable by the receptionist.

Through the assessment, it is recommended that the business install CCTV in the entry way, the reception area, and a camera on the employee entrance. Once camera on the exterior of the building would work, but second camera that covers the interior door would be best. The weather in the Black Hills can severely limit the effectiveness of the exterior cameras. All units would be viewable by the receptionist's computer and by the doctors' computers. After that, discussions can be had on the feeds being accessible by other personnel, as requested/reviewed.

It is also recommended that keypad locks or RFID locks be installed on the exterior door and individual codes/RFID tags be given to the employees. The door of most concern is the non-monitored employee entrance. The combination of CCTV monitoring with a locked employee entrance would greatly increase building and employee safety.