Information Security Management: Risk Assessment and Recommendations
This assignment requires students to plan, conduct and document a risk assessment based on a given scenario in the field of Information Security Management.
11 Pages2902 Words54 Views
Added on 2023-01-19
About This Document
This report provides a detailed risk assessment for information security management, including threats, vulnerabilities, and recommendations. It covers assets, risk identification, likelihood level computation, and impact specification. The report also includes a summary and recommendations for CONVXYZ company.
Information Security Management: Risk Assessment and Recommendations
This assignment requires students to plan, conduct and document a risk assessment based on a given scenario in the field of Information Security Management.
Added on 2023-01-19
ShareRelated Documents
INFORMATION SECURITY MANAGEMENT 1
INFORMATION SECURITY MANAGEMENT
(Student’s Name)
(Professor’s Name)
(Course Title)
(Date of Submission)
INFORMATION SECURITY MANAGEMENT
(Student’s Name)
(Professor’s Name)
(Course Title)
(Date of Submission)
INFORMATION SECURITY MANAGEMENT 2
Table of Contents
Executive summary.....................................................................................................................................3
Introduction.................................................................................................................................................3
Risk assessment...........................................................................................................................................4
Assets......................................................................................................................................................4
Threats.....................................................................................................................................................4
Threats to primary assets....................................................................................................................4
Server threats......................................................................................................................................5
Threats to secondary assets................................................................................................................5
Vulnerabilities......................................................................................................................................6
Vulnerability for each asset.................................................................................................................6
Likelihood level computation..............................................................................................................7
Magnitude of impact...........................................................................................................................7
Risk matrix table..................................................................................................................................8
Impact specification table....................................................................................................................9
Risk identification................................................................................................................................9
Summary and recommendation..................................................................................................................9
References.................................................................................................................................................10
Table of Contents
Executive summary.....................................................................................................................................3
Introduction.................................................................................................................................................3
Risk assessment...........................................................................................................................................4
Assets......................................................................................................................................................4
Threats.....................................................................................................................................................4
Threats to primary assets....................................................................................................................4
Server threats......................................................................................................................................5
Threats to secondary assets................................................................................................................5
Vulnerabilities......................................................................................................................................6
Vulnerability for each asset.................................................................................................................6
Likelihood level computation..............................................................................................................7
Magnitude of impact...........................................................................................................................7
Risk matrix table..................................................................................................................................8
Impact specification table....................................................................................................................9
Risk identification................................................................................................................................9
Summary and recommendation..................................................................................................................9
References.................................................................................................................................................10
INFORMATION SECURITY MANAGEMENT 3
Executive summary
CONVXYZ is a company in the US which provides real estate services for buyers and vendors. The
company also provides conveying services to lawyers. One of the major goals of the company security
team is to minimize or prevent the company from possible security incidents like information stealing,
data modification and deletion, and malfunction. An architectural diagram has been proposed as
depicted by figure one shown below. The dashed box shows the internal network of the company and all
its assets. This report is a detailed risk assessment report for figure one below. In addition, this risk
assessment report has proposed recommendations which will be based on the findings.
Introduction
Risk assessment is a process which includes three major steps which are; risk identification,
evaluation of risks, and risk impacts. The process allows IT managers to balance the economic and
operational costs of protective measures. Risk assessment methodology comprises of nine major steps
which are system characterization, threat identification, vulnerability identification, control analysis,
likelihood determination, impact analysis, risk determination, control recommendations, and results in
documentation (Vasudevan, 2017, p. 59). There are various risk assessment methods, but this paper will
utilize HAZOP method. HAZOP is an acronym for HAZard and OPerability. The method is structured for
examining the existing system components. Specifically, HAZOP method is used to identify risks to
equipment and people. One of the advantages of this method is that those conducting the risks are
expected to provide a solution for treating the risks. Other advantages are that the HAZOP process is a
systematic process and covers safety as well as operational aspects. The method also covers human
errors and the study results are recorded. Commercial software is available to assist in HAZOP analysis.
Also, the process is easily performed and learned. Lastly, HAZOP method is a technique which considers
the parts of a system systematically and separately to examine the deviation of each of the part. The
technique also considers network design representation (Gossman, 2009).
Figure 1: Proposed CONVXYZ network architecture diagram
Executive summary
CONVXYZ is a company in the US which provides real estate services for buyers and vendors. The
company also provides conveying services to lawyers. One of the major goals of the company security
team is to minimize or prevent the company from possible security incidents like information stealing,
data modification and deletion, and malfunction. An architectural diagram has been proposed as
depicted by figure one shown below. The dashed box shows the internal network of the company and all
its assets. This report is a detailed risk assessment report for figure one below. In addition, this risk
assessment report has proposed recommendations which will be based on the findings.
Introduction
Risk assessment is a process which includes three major steps which are; risk identification,
evaluation of risks, and risk impacts. The process allows IT managers to balance the economic and
operational costs of protective measures. Risk assessment methodology comprises of nine major steps
which are system characterization, threat identification, vulnerability identification, control analysis,
likelihood determination, impact analysis, risk determination, control recommendations, and results in
documentation (Vasudevan, 2017, p. 59). There are various risk assessment methods, but this paper will
utilize HAZOP method. HAZOP is an acronym for HAZard and OPerability. The method is structured for
examining the existing system components. Specifically, HAZOP method is used to identify risks to
equipment and people. One of the advantages of this method is that those conducting the risks are
expected to provide a solution for treating the risks. Other advantages are that the HAZOP process is a
systematic process and covers safety as well as operational aspects. The method also covers human
errors and the study results are recorded. Commercial software is available to assist in HAZOP analysis.
Also, the process is easily performed and learned. Lastly, HAZOP method is a technique which considers
the parts of a system systematically and separately to examine the deviation of each of the part. The
technique also considers network design representation (Gossman, 2009).
Figure 1: Proposed CONVXYZ network architecture diagram
INFORMATION SECURITY MANAGEMENT 4
Risk assessment
Assets
Assets for CONVXYZ are grouped into three categories which are the physical assets, software
assets, and services assets. The physical assets are the primary assets while software and service assets
are the secondary assets. As shown in figure one above, the physical assets are the communication
media equipment which in this case are the router, firewall, and switch. Other physical assets are the
estate PCs, lawyer PCs, the web-server, mail server, staff database, authentication server, and the staff
database. The secondary assets which comprise of databases stores CONVXYZ information which stored
in the organization database. This information could be finances, personnel and production information.
In addition, under secondary assets, you can also find data files which contain support and operational
procedures which have been developed by the organization over the years. Other information assets
one can get is the archived information which contains old information which is maintained by law. Also
at the database server, one can get the company continuity plans developed by the company to
maintain the continuity of the company. Another secondary assets are the software assets; this is
categorized into two which are the system software and application software. The application software
implements the business rules of the company. The system software is the various packaged software
such as the operating system, Database Management System and the office productivity. The last
secondary assets are the services; these services include communication services such as voice
communication, value-added services, the wide area network, and data communication. It also contains
computing services which a company have outsourced (Lee, 2005, p. 67)
Threats
Threat statement
This paper identified the following potential threat sources and their associated actions as
shown by table one below
Threat source Threat action
Computer criminal System intrusion
Spoofing
Identify theft
Hacker Unauthorized system access
System intrusion
Insiders ( Due to poorly trained personnel and
dishonest or terminated employees)
System bugs
Unauthorized system access
Browsing of personally identifiable information
(Tittel, 2017, p. 79)
Threats to primary assetsRouter
There two common threats to any router which are a denial of service attack commonly known
as syn flood and brute force type of attack. Denial of service attack is caused by the exploitation of the
Risk assessment
Assets
Assets for CONVXYZ are grouped into three categories which are the physical assets, software
assets, and services assets. The physical assets are the primary assets while software and service assets
are the secondary assets. As shown in figure one above, the physical assets are the communication
media equipment which in this case are the router, firewall, and switch. Other physical assets are the
estate PCs, lawyer PCs, the web-server, mail server, staff database, authentication server, and the staff
database. The secondary assets which comprise of databases stores CONVXYZ information which stored
in the organization database. This information could be finances, personnel and production information.
In addition, under secondary assets, you can also find data files which contain support and operational
procedures which have been developed by the organization over the years. Other information assets
one can get is the archived information which contains old information which is maintained by law. Also
at the database server, one can get the company continuity plans developed by the company to
maintain the continuity of the company. Another secondary assets are the software assets; this is
categorized into two which are the system software and application software. The application software
implements the business rules of the company. The system software is the various packaged software
such as the operating system, Database Management System and the office productivity. The last
secondary assets are the services; these services include communication services such as voice
communication, value-added services, the wide area network, and data communication. It also contains
computing services which a company have outsourced (Lee, 2005, p. 67)
Threats
Threat statement
This paper identified the following potential threat sources and their associated actions as
shown by table one below
Threat source Threat action
Computer criminal System intrusion
Spoofing
Identify theft
Hacker Unauthorized system access
System intrusion
Insiders ( Due to poorly trained personnel and
dishonest or terminated employees)
System bugs
Unauthorized system access
Browsing of personally identifiable information
(Tittel, 2017, p. 79)
Threats to primary assetsRouter
There two common threats to any router which are a denial of service attack commonly known
as syn flood and brute force type of attack. Denial of service attack is caused by the exploitation of the
End of preview
Want to access all the pages? Upload your documents or become a member.
Related Documents
CONVXYZ Risk Assessmentlg...
|19
|3223
|38
Information Security Managementlg...
|9
|2997
|41
Information Security Managementlg...
|11
|3202
|65
Risk Assessment on Network of CONVXYZlg...
|16
|3227
|104
Risk Assessment for CONVXYZlg...
|12
|3189
|82
Risk Assessment for CONVXYZ Organizationlg...
|12
|2947
|68