Your All-in-One AI-Powered Toolkit for Academic Success.

+13062052269

info@desklib.com

Available 24*7 on WhatsApp / Email

Company

Tools

Support

Agency Risk Assessment 2022

Verified

Added on 2022/09/14

AI Summary

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Assessment No:
Assessment Title:
Student Name & ID:
Subject Name and Code:
Student Email Address:

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

UCLanRE Agency Risk Assessment 2
Table of Contents
Introduction.................................................................................................................................................3
Risk Assessment..........................................................................................................................................4
Risk identification....................................................................................................................................4
Assets..................................................................................................................................................5
Threats.................................................................................................................................................6
Vulnerabilities......................................................................................................................................7
Risk analysis and risk evaluation..............................................................................................................7
Risk assessment with a quantitative method..........................................................................................7
Risk treatment.........................................................................................................................................8
Risk acceptance and residual risk management......................................................................................9
Information Security Risk Communication and Consultation..................................................................9
Risk monitoring and review.....................................................................................................................9
Summary and Recommendations................................................................................................................9
References.................................................................................................................................................11

UCLanRE Agency Risk Assessment 3
Introduction
Risks analysis and assessment is one of the initial steps and primary way to advance the security of an
information system of an organization. For sure, optimization implies input of more effort. Furthermore,
it means doing it with minimum resources (Institute, 2017). This means that if we ignore to analyze and
assess risks surrounding our IT infrastructure for fear of incurring a small cost, we must be prepared to
pay huge chunks of money once havoc has been caused. With the enthusiasm of having enough security
and minimize costs caused by insecurity elements, risk analysis and assessment is very imperative for
each IT environment.
It should be noted that risk management has been already incorporated in many of the business
enterprises of all kinds (Aven & Zio, 2018). It is so surprising how UCLanRE agency is lacking this basic
requirement since the computers were introduced into the business environments. IT risk ought to have
been taken care a long time ago. In addition, the computer system is now in charge of critical operations
of UCLanRE agency processes, and IT risk assessment becomes one of the primary risks of the agency
today.
Risk assessment denotes to the determination of the value of risk in the relation of the tangible situation
and a known vulnerability on the basis of probability and the impact. The risk level is as a result of the
mentioned two factors. Risk assessment for IT Infrastructure for an organization can take either
qualitative or quantitative risk assessment approaches (Dalezios, 2017). In our exercise of risk
assessment for UCLanRE agency, we will deploy a quantitative risk assessment approach.
This paper presents a risk assessment for UCLanRE agency in the following steps:

UCLanRE Agency Risk Assessment 4
Risk Assessment
Risk assessment structure
Risk identification
Risk identification has been as explained by Adam Gordon as the process of finding, identifying and
noting down risks (Adam Gordon, 2016). Whitman & Mattord describes risk as a function of three
factors, namely vulnerabilities, threats and asset cost (Whitman & Mattord, 2016). The internal factor is
the vulnerabilities, whereas the external factors are the threats. These act as the source and input of
security incidents. The end result also is dependent on the asset environment and value. Therefore,
these three factors will be deployed as the primary input for the function of that assesses risks:
R=f (t, a, v)
In our formulation above, "t" stands for the likelihood of a threat taking place, "a" stands for asset value,
and "v" stands for the frequency of vulnerabilities an information system may have. Another method of
interpreting risk concept is a combination of threat type, the effect of an asset, vulnerability, threat
source and the countermeasure as proposed by (Loske, 2015). Because many of the interpretations are
the extended version of the three primary risk elements, this paper will deploy the basic triplet in its
evaluation of risk for UCLanRE agency. Assessment model for an information systems security risk is as
shown below;

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

UCLanRE Agency Risk Assessment 5
Assessment model for an IS security risk
(Layton, 2016)
Assets
In an information system, asset cost is the worth of IT Infrastructure property for a business enterprise,
which is under threat. In our risk assessment process, we will dwell on the assets which have a direct
connection to the information systems for UCLanRE agency. It should be noted that the asset can be in
dissimilar forms ranging from physical, intangible, software, hardware to service (Gibson, 2014).
The parts of information system assets that we will consider including the facilities which deal with
information, the information itself, and the personnel who deal with the information.
The identification of assets in the process of risk assessment is a preceding phase to the assessment of
value. The most significant matter is to recognize the vast number of assets in addition to their
correlation among the assets (Agrawal, et al., 2014). In the initial round of assessment, we will conduct a
thorough asset assessment so as to recognize all the assets.

UCLanRE Agency Risk Assessment 6
Once we have identified the assets, we will carry out the evaluation of the assets. Evaluation will be
done in a quantitative method through qualitative method is also available to satisfy the shortcomings
of the later. In a quantitative method of asset evaluation, the assets are evaluated on the basis of the
actual environment and the value of assets (Ruan, 2019).
Below is the list of assets for UCLanRE agency which we focus on;
Category Asset Number of Assets
Hardware Personal Computers
Servers 3
Switch 1
Router 1
Software Windows XP 1
SQL Server 1
Mail Server 1
IIS webserver 2
Threats
Ulsch defines a threat as an even which cause harm to IT infrastructure and information systems in
general (Ulsch, 2014). Three aspects are considered in a threat likelihood. They are; potential
vulnerabilities, present controls and source of threats. In order to identify sources of threats, each
potential threat towards the significant assets has to be documented. Sources threats can be classed as
either human factors and environmental factors. Environment threats sometimes are uncontrollable
and consistent. For example, the flood and the earthquake. Environment threats must always be
considered in relation to the environment of operation. Note that such kind of threats are cannot be
avoided.
However, human factors, on the other hand, are vagrant since they relate to different situations and
individuals. This kind of threat is difficult to handle since predicting human behaviour is very challenging
in nature.
Present forms of threat can either be an unintended or straight attack against information systems.
These include leaking information, an unauthorized modification which may lead to violation of

UCLanRE Agency Risk Assessment 7
integrity, confidentiality and availability of an information system. For UCLanRE agency, the likelihood
of threats will be quantified on the below basis;
a. Gathering of the information in a real environment by use of IDS tools and checking of the log
files
b. Statics of threats in past security report analyses.
c. Reference to the authoritative sources.
UCLanRE agency threats under assessment include viruses, worms, trojan, spyware, spam, adware,
botnets, rootkits and logic bombs.
Vulnerabilities
This is the candidness of the information system to a threat. An information vulnerability is frequently
exploited by identified potential threats. Parkinson et al. define vulnerability as a weakness in relation to
system asset, which causes an unanticipated event (Parkinson, et al., 2018). Vulnerabilities can be
classed into two categories. For instance, there are those vulnerabilities affect the system assets, i.e.
system breaches and technical issues. The other kind of vulnerability is the one caused by insufficient
organizational management at a higher level.
For UCLanRE agency, identified vulnerabilities comprise of missing data encryption, SQL injection,
missing authorization, OS command injection, bugs, weak passwords, buffer overflow and use of broken
algorithms.
Risk analysis and risk evaluation
Risk analysis refers to the process of understanding risk nature and to regulate the extent of the risk. In
this definition, we discover that the kind of risk is the source and cause, having the cause and source; we
are able to locate the risks. In our risk assessment for UCLanRE agency, we will deploy quantitative
methods in the comparison and decision making and their priorities. The risks which are more
dangerous are treated as the most urgent. Our table of priority is as shown below;
Risk assessment with a quantitative method
In our risk assessment for UCLanRE agency, we consider the risk of every resource and the threat, the
like hood of occurrence and the impact to the agency in case the risk event takes place. All these are
quantified in order to make a business decision. The below table shows the risk assessment matrix table
for our organization in question.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

UCLanRE Agency Risk Assessment 8
Risk Factor Impact Annual Rate of
Occurrence
Cost of Controls Overall Risk
Legacy Windows
XP
Medium High Medium High
No antivirus
software
Medium High Medium High
No VPN High Medium High High
Mail Server High Medium High High
Customer
Database
High Medium High High
IIS Web Server High Medium Medium High
No Redundancy High Medium Medium High
Untrained staff Low Medium Low Medium
Risk treatment
Once we have the above assessment and analysis, which is our quantitative form of risk analysis, we
compare our results with the provided risk measures, which is our locus for our risk brutality. Our risk
criteria will consist of regulation and laws cost-benefits, social and economic environment and human
factors. Below are the likely actions which we propose to be undertaken against various levels of risk in
different environments;
Avoid the risk – this can be done by avoiding activities which create the risk. For example, UCLanRE
agency can avoid accessing organizational resources remotely without VPN. This response can be
managed by introducing security controls such as VPNs and firewalls.
Modify the risk – this can be done by implementation of control which will bring down the like hood of
occurring. For instance, UCLanRE agency should address the risk of data loss through organization
computers by coming up with a policy which restricts computer users from performing unnecessary
formatting of hard disks without authorization from the IT head. Any computer repairs must be
authorized from the IT department and performed by an IT specialist.
Share risks with the third party – this can be approached in two ways. That is, purchasing of
cybersecurity insurance which will ensure that UCLanRE agency has funds to respond in a correct

UCLanRE Agency Risk Assessment 9
manner in the event of a disaster taking place or outsourcing of the security efforts from another
organization. Note that neither of these options is ideal since UCLanRE agency is ultimately responsible
for its organization’s data and security, however, they would be the best option for UCLanRE agency
since UCLanRE agency lacks resources to handle the risk.
Retain the risk. This will imply that UCLanRE agency has to accept the risk and believe the cost of
handling the risk is greater than damage that is likely to be caused.
Information Security Risk Communication and Consultation
UCLanRE agency needs to keep a record of how it is handling the risks and inform the management and
employees who are likely to have been affected.
For instance, UCLanRE agency faced some form of attack and financial loss was witnessed; this ought to
have been communicated to the employees concerned and the administration. This will make sure that
the management and the concerned employees will understand in case they witness abrupt decisions by
the management. Similarly, if UCLanRE agency is avoiding the risk by ensuring that it avoids what it did
and landed it into a problem, this should be passed on to the rest employees.
Risk monitoring and review
One of the most important factors which affect the effectiveness and efficiency of a business
organization risk management process is the process of coming up with an ongoing monitor and review
process. The process will ensure that the detailed management action plan will remain updated and
relevant. In the present dynamic business environment, the factors which affect the likelihood and
consequence of the risks are dynamically changing. It is, therefore, a good practice for UCLanRE agency
to repeat its risk assessment and management cycle on a regular basis.
Summary and Recommendations
In summary, risk assessment (and 27005 general compliance) is a continuous activity. Therefore,
UCLanRE agency is required to carry out this process on a regular basis.
This will serve this organization with two purposes; one, it will enable UCLanRE agency to check whether
the action plan options which were selected are working out as expected. Two, it may be discovered
that the implemented treatment options are not addressing the risk as intended, and hence a change
may be required.

UCLanRE Agency Risk Assessment 10
An information system assessment is a critical requirement since it offers a critical road map for the
improvement of the information security system practices. As UCLanRE agency will continue
implementing risk assessment, it will be able to come up with goals which will evaluate its information
system over time hence reducing the likelihood of occurrence of an event.
Conclusion

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

UCLanRE Agency Risk Assessment 11
References
Adam Gordon, (2016) The Official (ISC)2 Guide to the SSCP CBK. 4th ed. New Jersey: John Wiley and
Sons.
Agrawal, M., Campoe, and Pierce, (2014). Information Security and IT Risk Management. 4th ed.
Hoboken: John Wiley and Sons.
Aven, T. and Zio, E., (2018). Knowledge in risk assessment and management. 4th ed. New Jersey: John
Wiley and Sons.
Dalezios, N. R., (2017). Environmental Hazards Methodologies for Risk Assessment and Management.
3rd ed. London: IWA Publishing.
Gibson, D., (2014). Managing Risk in Information Systems. 1st ed. Massachusetts: Jones and Bartlett
Learning.
Institute, P. M., (2017). A Guide to the Project Management Body of Knowledge. 6th ed. Newtown
Square: Project Management Institute.
Layton, T. P., (2016). Information Security: Design, Implementation, Measurement, and Compliance. 6th
ed. Boca Raton: CRC Press.
Loske, A., (2015). IT Security Risk Management in the Context of Cloud Computing. 2nd ed. Salmon:
Springer.
Parkinson, S., Crampton, . and Hill, ., (2018). Guide to Vulnerability Analysis for Computer Networks and
Systems. 1st ed. Berlin: Springer.
Ruan, K., (2019). Digital Asset Valuation and Cyber Risk Measurement: Principles of Cybernomics. 1st ed.
Edinburgh: Elsevier.
Ulsch, M., (2014). Cyber Threat!: How to Manage the Growing Risk of Cyber Attacks. 1st ed. Hoboken:
John Wiley and Sons.
Whitman, M. E. and Mattord, . J., (2016). Management of Information Security. 3rd ed. San Francisco:
Cengage Learning.

1 out of 11

+13062052269

info@desklib.com

Agency Risk Assessment 2022

Contribute Materials

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Related Documents

Information System Security Management Report 2022

Report on Implementing Security Management Program at Griffith University Medical GUMC

Security Risk Analysis