UCLanRE Agency Risk Assessment2 Table of Contents Introduction.................................................................................................................................................3 Risk Assessment..........................................................................................................................................4 Risk identification....................................................................................................................................4 Assets..................................................................................................................................................5 Threats.................................................................................................................................................6 Vulnerabilities......................................................................................................................................7 Risk analysis and risk evaluation..............................................................................................................7 Risk assessment with a quantitative method..........................................................................................7 Risk treatment.........................................................................................................................................8 Risk acceptance and residual risk management......................................................................................9 Information Security Risk Communication and Consultation..................................................................9 Risk monitoring and review.....................................................................................................................9 Summary and Recommendations................................................................................................................9 References.................................................................................................................................................11
UCLanRE Agency Risk Assessment3 Introduction Risks analysis and assessment is one of the initial steps and primary way to advance the security of an information system of an organization. For sure, optimization implies input of more effort. Furthermore, it means doing it with minimum resources(Institute, 2017). This means that if we ignore to analyze and assess risks surrounding our IT infrastructure for fear of incurring a small cost, we must be prepared to pay huge chunks of money once havoc has been caused. With the enthusiasm of having enough security and minimize costs caused by insecurity elements, risk analysis and assessment is very imperative for each IT environment. It should be noted that risk management has been already incorporated in many of the business enterprises of all kinds(Aven & Zio, 2018). It is so surprising howUCLanRE agency is lacking this basic requirement since the computers were introduced into the business environments. IT risk ought to have been taken care a long time ago. In addition, the computer system is now in charge of critical operations of UCLanRE agency processes, and IT risk assessment becomes one of the primary risks of the agency today. Risk assessment denotes to the determination of the value of risk in the relation of the tangible situation and a known vulnerability on the basis of probability and the impact. The risk level is as a result of the mentioned two factors. Risk assessment for IT Infrastructure for an organization can take either qualitative or quantitative risk assessment approaches(Dalezios, 2017). In our exercise of risk assessment forUCLanRE agency, we will deploy a quantitative risk assessment approach. This paper presents a risk assessment for UCLanRE agency in the following steps:
UCLanRE Agency Risk Assessment4 Risk Assessment Risk assessment structure Risk identification Risk identification has been as explained by Adam Gordon as the process of finding, identifying and noting down risks(Adam Gordon, 2016). Whitman &Mattord describes risk as a function of three factors, namely vulnerabilities, threats and asset cost(Whitman & Mattord, 2016). The internal factor is the vulnerabilities, whereas the external factors are the threats. These act asthe source and input of security incidents. The end result also is dependent on the asset environment and value. Therefore, these three factors will be deployed as the primary input for the function of that assesses risks: R=f (t, a, v) In our formulation above, "t" stands for the likelihood of a threat taking place, "a" stands for asset value, and "v" stands for the frequency of vulnerabilities an information system may have. Another method of interpreting risk concept is a combination of threat type, the effect of an asset, vulnerability, threat source and the countermeasure as proposed by(Loske, 2015). Because many of the interpretations are the extended version of the three primary risk elements, this paper will deploy the basic triplet in its evaluation of risk forUCLanRE agency. Assessment model for an information systems security risk is as shown below;
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
UCLanRE Agency Risk Assessment5 Assessment model for an IS security risk (Layton, 2016) Assets In an information system, asset cost is the worth of IT Infrastructure property for a business enterprise, which is under threat. In our risk assessment process, we will dwell on the assets which have a direct connection to the information systems for UCLanRE agency. It should be noted that the asset can be in dissimilar forms ranging from physical, intangible, software, hardware to service(Gibson, 2014). The parts of information system assets that we will consider including the facilities which deal with information, the information itself, and the personnel who deal with the information. The identification of assets in the process of risk assessment is a preceding phase to the assessment of value. The most significant matter is to recognize the vast number of assets in addition to their correlation among the assets(Agrawal, et al., 2014). In the initial round of assessment, we will conduct a thorough asset assessment so as to recognize all the assets.
UCLanRE Agency Risk Assessment6 Once we have identified the assets, we will carry out the evaluation of the assets. Evaluation will be done in a quantitative method through qualitative method is also available to satisfy the shortcomings of the later. In a quantitative method of asset evaluation, the assets are evaluated on the basis of the actual environment and the value of assets(Ruan, 2019). Below is the list of assets for UCLanRE agency which we focus on; CategoryAssetNumber of Assets HardwarePersonal Computers Servers3 Switch1 Router1 SoftwareWindows XP1 SQL Server1 Mail Server1 IIS webserver2 Threats Ulsch defines a threat as an even which cause harm to IT infrastructure and information systems in general(Ulsch, 2014). Three aspects are considered in a threat likelihood. They are; potential vulnerabilities, present controls and source of threats. In order to identify sources of threats, each potential threattowards the significant assets has to be documented. Sources threats can be classed as either human factors and environmental factors. Environment threats sometimes are uncontrollable and consistent. For example, the flood and the earthquake. Environment threats must always be considered in relation to the environment of operation. Note that such kind of threats are cannot be avoided. However, human factors, on the other hand, are vagrant since they relate to different situations and individuals. This kind of threat is difficult to handle since predicting human behaviour is very challenging in nature. Present forms of threat can either be an unintended or straight attack against information systems. These include leaking information, an unauthorized modification which may lead to violation of
UCLanRE Agency Risk Assessment7 integrity, confidentiality and availability of an information system. For UCLanRE agency, the likelihood of threats will be quantified on the below basis; a.Gathering of the information in a real environmentby use of IDS tools and checking of the log files b.Statics of threats in past security report analyses. c.Reference to the authoritative sources. UCLanRE agency threats under assessment include viruses, worms, trojan, spyware, spam, adware, botnets, rootkits and logic bombs. Vulnerabilities This is the candidness of the information system to a threat. An information vulnerability is frequently exploited by identified potential threats. Parkinson et al. define vulnerability as a weakness in relation to system asset, which causes an unanticipated event(Parkinson, et al., 2018). Vulnerabilities can be classed into two categories. For instance, there are those vulnerabilities affect the system assets, i.e. system breaches and technical issues. The other kind of vulnerability is the one caused by insufficient organizational management at a higher level. For UCLanRE agency, identified vulnerabilities comprise of missing data encryption, SQL injection, missing authorization, OS command injection, bugs, weak passwords, buffer overflow and use of broken algorithms. Risk analysis and risk evaluation Risk analysis refers to the process of understanding risk nature and to regulate the extent of the risk. In this definition, we discover that the kind of risk is the source and cause, having the cause and source; we are able to locate the risks. In our risk assessment for UCLanRE agency, we will deploy quantitative methods in the comparison and decision making and their priorities. The risks which are more dangerous are treated as the most urgent. Our table of priority is as shown below; Risk assessment with a quantitative method In our risk assessment for UCLanRE agency, we consider the risk of every resource and the threat, the like hood of occurrence and the impact to the agency in case the risk event takes place. All these are quantified in order to make a business decision. The below table shows the risk assessment matrix table for our organization in question.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
UCLanRE Agency Risk Assessment8 Risk FactorImpactAnnual Rate of Occurrence Cost of ControlsOverall Risk Legacy Windows XP MediumHighMediumHigh No antivirus software MediumHighMediumHigh No VPNHighMediumHighHigh Mail ServerHighMediumHighHigh Customer Database HighMediumHighHigh IIS Web ServerHighMediumMediumHigh No RedundancyHighMediumMediumHigh Untrained staffLowMediumLowMedium Risk treatment Once we have the above assessment and analysis, which is our quantitative form of risk analysis, we compare our results with the provided risk measures, which is our locus for our risk brutality. Our risk criteria will consist of regulation and laws cost-benefits, social and economic environment and human factors. Below are the likely actions which we propose to be undertaken against various levels of risk in different environments; Avoid the risk – this can be done by avoiding activities which create the risk. For example, UCLanRE agency can avoid accessing organizational resources remotely without VPN. This response can be managed by introducing security controls such as VPNs and firewalls. Modify the risk – this can be done by implementation of control which will bring down the like hood of occurring. For instance, UCLanRE agency should address the risk of data loss through organization computers by coming up with a policy which restricts computer users from performing unnecessary formatting of hard disks without authorization from the IT head. Any computer repairs must be authorized from the IT department and performed by an IT specialist. Share risks with the third party – this can be approached in two ways. That is, purchasing of cybersecurity insurance which will ensure that UCLanRE agency has funds to respond in a correct
UCLanRE Agency Risk Assessment9 manner in the event of a disaster taking place or outsourcing of the security efforts from another organization. Note that neither of these options is ideal since UCLanRE agency is ultimately responsible for its organization’s data and security, however, they would be the best option for UCLanRE agency since UCLanRE agency lacks resources to handle the risk. Retain the risk. This will imply that UCLanRE agency has to accept the risk and believe the cost of handling the risk is greater than damage that is likely to be caused. Information Security Risk Communication and Consultation UCLanRE agency needs to keep a record of how it is handling the risks and inform the management and employees who are likely to have been affected. For instance, UCLanRE agency faced some form of attack and financial loss was witnessed; this ought to have been communicated to the employees concerned and the administration. This will make sure that the management and the concerned employees will understand in case they witness abrupt decisions by the management. Similarly, if UCLanRE agency is avoiding the risk by ensuring that it avoids what it did and landed it into a problem, this should be passed on to the rest employees. Risk monitoring and review One of the most important factors which affect the effectiveness and efficiency of a business organization risk management process is the process of coming up with an ongoing monitor and review process. The process will ensure that the detailed management action plan will remain updated and relevant. In the present dynamic business environment, the factors which affect the likelihood and consequence of the risks are dynamically changing. It is, therefore, a good practice for UCLanRE agency to repeat its risk assessment and management cycle on a regular basis. Summary and Recommendations In summary, risk assessment (and 27005 general compliance) is a continuous activity. Therefore, UCLanRE agency is required to carry out this process on a regular basis. This will serve this organization with two purposes; one, it will enable UCLanRE agency to check whether the action plan options which were selected are working out as expected. Two, it may be discovered that the implemented treatment options are not addressing the risk as intended, and hence a change may be required.
UCLanRE Agency Risk Assessment10 An information system assessment is a critical requirement since it offers a critical road map for the improvement of the information security system practices. As UCLanRE agency will continue implementing risk assessment, it will be able to come up with goals which will evaluate its information system over time hence reducing the likelihood of occurrence of an event. Conclusion
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
UCLanRE Agency Risk Assessment11 References Adam Gordon, (2016)The Official (ISC)2 Guide to the SSCP CBK.4th ed. New Jersey: John Wiley and Sons. Agrawal, M., Campoe, and Pierce, (2014).Information Security and IT Risk Management.4th ed. Hoboken: John Wiley and Sons. Aven, T. and Zio, E., (2018).Knowledge in risk assessment and management.4th ed. New Jersey: John Wiley and Sons. Dalezios, N. R., (2017).Environmental Hazards Methodologies for Risk Assessment and Management. 3rd ed. London: IWA Publishing. Gibson, D., (2014).Managing Risk in Information Systems.1st ed. Massachusetts: Jones and Bartlett Learning. Institute, P. M., (2017).A Guide to the Project Management Body of Knowledge.6th ed. Newtown Square: Project Management Institute. Layton, T. P., (2016).Information Security: Design, Implementation, Measurement, and Compliance.6th ed. Boca Raton: CRC Press. Loske, A., (2015).IT Security Risk Management in the Context of Cloud Computing.2nd ed. Salmon: Springer. Parkinson, S., Crampton, . and Hill, ., (2018).Guide to Vulnerability Analysis for Computer Networks and Systems.1st ed. Berlin: Springer. Ruan, K., (2019).Digital Asset Valuation and Cyber Risk Measurement: Principles of Cybernomics.1st ed. Edinburgh: Elsevier. Ulsch, M., (2014).Cyber Threat!: How to Manage the Growing Risk of Cyber Attacks.1st ed. Hoboken: John Wiley and Sons. Whitman, M. E. and Mattord, . J., (2016).Management of Information Security.3rd ed. San Francisco: Cengage Learning.