Risk Assessment for CloudXYZ Security Network Architecture
Added on 2023-06-13
15 Pages2929 Words491 Views
Information Security
Management
Management
Table of Contents
1. Introduction.....................................................................................................................................3
2. Risk Assessment............................................................................................................................3
2.1 Owner Specifications..................................................................................................................3
2.2 Assets..........................................................................................................................................4
2.3 Assets Table.................................................................................................................................4
2.4 Threats and Vulnerabilities for Asset.........................................................................................4
3. Likelihood Level Computation..................................................................................................7
4. Impact Table Specification........................................................................................................9
5. Threat Level..................................................................................................................................11
6. Vulnerability Level......................................................................................................................12
7. Risk Identification.......................................................................................................................13
8. Risk Level.......................................................................................................................................13
9. Summary and Recommendations.........................................................................................13
10. Conclusion.................................................................................................................................14
References............................................................................................................................................14
1. Introduction.....................................................................................................................................3
2. Risk Assessment............................................................................................................................3
2.1 Owner Specifications..................................................................................................................3
2.2 Assets..........................................................................................................................................4
2.3 Assets Table.................................................................................................................................4
2.4 Threats and Vulnerabilities for Asset.........................................................................................4
3. Likelihood Level Computation..................................................................................................7
4. Impact Table Specification........................................................................................................9
5. Threat Level..................................................................................................................................11
6. Vulnerability Level......................................................................................................................12
7. Risk Identification.......................................................................................................................13
8. Risk Level.......................................................................................................................................13
9. Summary and Recommendations.........................................................................................13
10. Conclusion.................................................................................................................................14
References............................................................................................................................................14
1. Introduction
In UK, a cloud service provider named CloudXYZ, provides IT network/ system for various
organizations. CloudXYZ ensures securing storage and virtual server services for both the individual
customers and for the organizations. Ultimately, they target on security system for preventing or
decreasing any business loss due to incidents like data modification, malfunction, data deletion and
information stealing. The task of this project includes to perform risk assessment for the provided
security network architecture. For performing risk assessment, there exists certain “open-source”
methods and some proprietary methods, which provides answer to the questions like- What must be
protected? What are the vulnerabilities and threats? What are its implications? What value it has to the
organization? and What could decrease the damages? Therefore, these are the advantages of risk
assessment methods. The utilized risk assessment methods are, Qualitative Risk Assessment Matrix
(RAM), Risk Probability and Impact Assessment, Combination of checklists and what-if analysis methods,
and Preliminary environment risk ranking method. The ISO 27001 based Risk Assessment Tool is
effective solution. The impact analysis and likelihood are the other tasks which will be performed during
the risk assessment on the given system. Because, it helps to determine the potential impacts resulting
from the critical business processes. Moreover, the risk assessment methods help to provide
suggestions of whether the system’s security, integrity, confidentiality must be increased or not?
2. Risk Assessment
2.1 Owner Specifications
For maintaining the database, security tool, website and other services which provides a
function for security vulnerability or exposure identification is known as capability. Here, the user
denotes the owner and the owner has the responsibility of maintaining the capability. The CVE
(Common Vulnerabilities and Exposures) compatibility provides the facility of sharing the data, only
when there is accurate capability mapping. Thus, it is required that CVE-compatible capabilities should
meet minimum accuracy requirements (Cve.mitre.org, 2018).
The owner specifications include the following (Cve.mitre.org, 2018):
1) The Owner should have valid phone number, email ID and address.
2) The capability should give additional information or value that is provided in the CVE
such as, name, references, description and related data.
3) The queries related to CVE functionality of the capability and mapping must be provided
by the technical point of contact which the owner has.
4) By using CVE names ("CVE-Searchable"), the capability show let the users to locate the
security elements.
5) The CVE names must be used for Security Service to mention the user which of the
security elements are tested or detected by the service ("CVE-Searchable").
6) The Service should enable the client to decide the related CVE names for those
elements ("CVE-Output"), for the report which recognizes the single security elements,
by completing at least one of these- letting the client directly incorporate CVE names in
In UK, a cloud service provider named CloudXYZ, provides IT network/ system for various
organizations. CloudXYZ ensures securing storage and virtual server services for both the individual
customers and for the organizations. Ultimately, they target on security system for preventing or
decreasing any business loss due to incidents like data modification, malfunction, data deletion and
information stealing. The task of this project includes to perform risk assessment for the provided
security network architecture. For performing risk assessment, there exists certain “open-source”
methods and some proprietary methods, which provides answer to the questions like- What must be
protected? What are the vulnerabilities and threats? What are its implications? What value it has to the
organization? and What could decrease the damages? Therefore, these are the advantages of risk
assessment methods. The utilized risk assessment methods are, Qualitative Risk Assessment Matrix
(RAM), Risk Probability and Impact Assessment, Combination of checklists and what-if analysis methods,
and Preliminary environment risk ranking method. The ISO 27001 based Risk Assessment Tool is
effective solution. The impact analysis and likelihood are the other tasks which will be performed during
the risk assessment on the given system. Because, it helps to determine the potential impacts resulting
from the critical business processes. Moreover, the risk assessment methods help to provide
suggestions of whether the system’s security, integrity, confidentiality must be increased or not?
2. Risk Assessment
2.1 Owner Specifications
For maintaining the database, security tool, website and other services which provides a
function for security vulnerability or exposure identification is known as capability. Here, the user
denotes the owner and the owner has the responsibility of maintaining the capability. The CVE
(Common Vulnerabilities and Exposures) compatibility provides the facility of sharing the data, only
when there is accurate capability mapping. Thus, it is required that CVE-compatible capabilities should
meet minimum accuracy requirements (Cve.mitre.org, 2018).
The owner specifications include the following (Cve.mitre.org, 2018):
1) The Owner should have valid phone number, email ID and address.
2) The capability should give additional information or value that is provided in the CVE
such as, name, references, description and related data.
3) The queries related to CVE functionality of the capability and mapping must be provided
by the technical point of contact which the owner has.
4) By using CVE names ("CVE-Searchable"), the capability show let the users to locate the
security elements.
5) The CVE names must be used for Security Service to mention the user which of the
security elements are tested or detected by the service ("CVE-Searchable").
6) The Service should enable the client to decide the related CVE names for those
elements ("CVE-Output"), for the report which recognizes the single security elements,
by completing at least one of these- letting the client directly incorporate CVE names in
the report, by furnishing the client with a mapping between the security elements and
CVE names, or by utilizing any other system.
7) Any desired reports or mappings which are given by the Service should fulfill the
requirements of media.
8) The product must be CVE-compatible, when the Service provides direct access to the
users.
2.2 Assets
The assets are considered as either primary or secondary, to recognize the assets that are
imported. For instance, the assets that should be imported first when compared to the other assets are
referred as primary assets and the assets which will be imported after the primary assets are referred as
the secondary assets (Support.symantec.com, 2011).
The primary assets contains super-set of the secondary assets. For instance, when a Control
Compliance Suite is considered, it is required to first import the Windows Domain prior to importing the
Windows Machines. Thus, here the primary asset is denoted as Windows Domain and the secondary
asset is denoted as Windows Machine. On the other hand, in the asset system, the Windows Domain is
called as the default scope for the Windows Machines. On the other hand, default scope refers to
importing the primary assets prior to the secondary assets.
2.3 Assets Table
ID Asset Primary or Secondary Asset
CS Cloud storage Primary Asset
VS Virtual server Secondary Asset
AS Authentication Server Secondary Asset
CD Customer Database Secondary Asset
WS Web server Secondary Asset
MS Mail Server Secondary Asset
FW Firewall/IDS Secondary Asset
I Internet Primary Asset
2.4 Threats and Vulnerabilities for Asset
The CloudXYZ organization’s assets their threats and vulnerabilities are as follows:
1) Cloud Storage
Threats
a) Data Breaches
The security breaches comprises of healthcare data, revenue details and
financial data (Networkmagazineindia.com, 2002).
b) Data Loss
There are possibilities of heavy loss of data and it could be highly expensive
for the organization.
c) Malicious Insiders
CVE names, or by utilizing any other system.
7) Any desired reports or mappings which are given by the Service should fulfill the
requirements of media.
8) The product must be CVE-compatible, when the Service provides direct access to the
users.
2.2 Assets
The assets are considered as either primary or secondary, to recognize the assets that are
imported. For instance, the assets that should be imported first when compared to the other assets are
referred as primary assets and the assets which will be imported after the primary assets are referred as
the secondary assets (Support.symantec.com, 2011).
The primary assets contains super-set of the secondary assets. For instance, when a Control
Compliance Suite is considered, it is required to first import the Windows Domain prior to importing the
Windows Machines. Thus, here the primary asset is denoted as Windows Domain and the secondary
asset is denoted as Windows Machine. On the other hand, in the asset system, the Windows Domain is
called as the default scope for the Windows Machines. On the other hand, default scope refers to
importing the primary assets prior to the secondary assets.
2.3 Assets Table
ID Asset Primary or Secondary Asset
CS Cloud storage Primary Asset
VS Virtual server Secondary Asset
AS Authentication Server Secondary Asset
CD Customer Database Secondary Asset
WS Web server Secondary Asset
MS Mail Server Secondary Asset
FW Firewall/IDS Secondary Asset
I Internet Primary Asset
2.4 Threats and Vulnerabilities for Asset
The CloudXYZ organization’s assets their threats and vulnerabilities are as follows:
1) Cloud Storage
Threats
a) Data Breaches
The security breaches comprises of healthcare data, revenue details and
financial data (Networkmagazineindia.com, 2002).
b) Data Loss
There are possibilities of heavy loss of data and it could be highly expensive
for the organization.
c) Malicious Insiders
End of preview
Want to access all the pages? Upload your documents or become a member.
Related Documents
Risk Assessment on Network Infrastructure of CONVXYZlg...
|27
|3351
|91
Host and Network Securitylg...
|19
|4301
|362
Information Security Managementlg...
|9
|2997
|41
Case Study on System Risk Management at ENISAlg...
|16
|3810
|174
Information Security Management for CloudXYZ: Risk Assessment and Mitigationlg...
|18
|3419
|275
Information Security Managementlg...
|11
|3202
|65