In information security risk assessment plays a vital role. Generally, risk assessment is a process of identifying the threats that cause potential harm to an organization. In today’s technology all kind the organizations rely on information that benefits them. In order to protect the information it is necessary for the organizations to make proper risk assessment plan. The main purpose of this report is to design a risk analysis and data classification for the dance club named All Stars Dance to protect their CIA triad. The risk analysis is performed mainly to ensure the dance club member’s data is safe. This report contains the identification and classification of information assets, weighted factor analysis, impacts of threats and vulnerabilities & risk rating and countermeasures for the threats identified.
This risk assessment for Allstars Dance club starts with identification of information assets then moving towards the threats associated with the assets classified, then continues to weighted factor analysis then moves to risk matrix and explaining the recommendations and ends with information classification schema with recommendations.
Information assets of an organization include everything from devices to people that benefits and organization financially. Here in All Dance group the primary information assets are,
- Member details database (include their sensitive personal information)
- Dance club member number
- Full name
- Date of birth
- Phone numbers
- Test levels (system admins only)
- Guardian / Parent full name
- Admin notes
- CMS (Content Management System of their Website)
- Joomla CMS
- CMS database
- Payment Gateway
- Payment Database
- Computer systems
- Portable devices
- Email service
- System administrator
- Event Manager
- Test convertor
Threats associated to the information assets
The primary threats that are associated with the identified information assets are follow,
Action by threat
Forces of Nature
Natural Disasters like Fire, earthquake
Risk model (Weighted Factor Analysis)
Threat is highly severe, controls in place is unsuccessful
Threat is capable of causing issues but the controls in place can stop the threat to cause issue
Threat is not capable of causing issue also controls in place is successful
Risk matrix is a tradition and standard method that is used in risk assessment plan. The primary purpose of this risk matrix is to classify the risks depend upon their probability to happen. Based on the severity the impact will be highlighted in different colours.
The impact is calculated based on the multiplication value of consequences and likelihood of the risk to be happen.
The failure CIA is expected and that would cause extremely severe effect on organization. (Gordon and Malik, 2014)
The failure of CIA is expected to cause serious effect on organization. (Gordon and Malik, 2014)
The failure of CIA expected to cause limited but not serious effect on organization. (Gordon and Malik, 2014)
The risk score is the result of risk matrix this score is calculated using the formula Consequences X Likelihood
Low Impact Medium Impact High Impact
The risk assessment for the given scenario is given below. This assessment contains possible vulnerabilities, likelihood of occurring along with the impact if that occurs, and ends with risk rating.
Vulnerable plugins, DOS, unethical usage
Inside the fence,
Third party handling security practices, unethical usage by employees
Employees, illegal usage of information, former employees
Physical devices (Portable devices)
Theft, Sabotage, Inside the fence
Third Party security practices
Phishing, Sniffing, Key loggers
Computer systems/ Network
DOS, DDOS, inside the fence
Forces of Nature
Inside the fence
Each identified threat required unique countermeasure to avoid. The advisable recommendations for the identified threats are following,
The All stars dance club’s website hosted in Joomla, it is advisable to follow strong passwords (which contains numbers, letters, symbols), maintaining strong and periodic backups and updates, effective site security monitoring are the recommendations (Docs.joomla.org, 2015).
To protect the database it’s advisable to maintain access control and user privileges to fix authorised users to access the database. Encrypting the database information is suggested along with maintenance of regular backup.
Educating employees about basic security such as Phishing and workforce ethical practices and usage of dedicated email protection services such as Cisco cloud email is recommended.
Educating employees about workplace ethics. Revoking all the privileges and accesses from outgoing and former employees while leaving organization.
Setting up secure locks, fencing, dedicated access control (bio-metric). Dedicated monitoring using surveillance cameras, sensors to notify in case of unauthorised access to resources (Margaret, 2016).
Also, for portable devices it’s suggested to ensure that all the permissions that are allocated to the staff in their portable devices are revoked/removed as soon they left their job. In this way the AllStars dance club can protect their information from their former staff. Also, regular updates on portable devices are suggested.
Since, it is handled by third part and the risk of occurrence is low it’s suggested to know about their security/service policies.
Using a secure password (which contains numbers, letters, and symbols) along with 2 factor authentication is recommended. 2 factor authentications is a feature that can add additional layer of security to an account. In this method the users need to provide their password along with their OTP/ authentication code received via SMS or Email (Rosenblatt & Jason, 2015). Also, using unique password for each systems/account is advisable.
Usage of dedicated IDS, IPS to prevent network security. Placing honey pots into the network. Segmenting the network using VLAN technique (Randy, 2016), effective network monitoring are the recommended method to keep the network/system safe.
Forces of Nature
Since, it’s not possible to stop natural disaster it’s recommended to keep regular backup either in another location (offsite) or in Cloud. For All stars dance club it’s recommended to keep their backup using cloud service. So, in this way even if the natural disaster causes any physical destruction they can overcome with the data stored in cloud.
For People it’s recommended to educate with basic security practices and work ethics. Here in AllStars dance club the secretary has access to all the systems so if insider threat happens it will affect the business heavily.
Information classification schema
Information classification schema is a process of classifying the information to make sure required security measures are applied to ensure the security of the information. Information classification mostly based on the confidentiality. The four major levels includes in this classification are confidential, Internal, Public and restricted (Irwin, 2019).
Information classification for AllStars Dance club
Database is a vital element everywhere. The data stored in the database is sensitive thus it required high level of confidential. Unauthorised access to the database will cause high impact on organization. Also, it will cause serious issues on CIA triad.
Internal refers to the scheme that consists the actions related to internal usage. Here in AllStars dance club the main actions are information management where it mainly involves transmission of information using computer networks and storing the information. Failure in this level causes loss of integrity.
Direct access to the systems, unauthorised usage of network of AllStars dance club leads to compromise of confidentiality. For this reason these are considered as restricted.
Since, to join AllStars dance club the members are required to register through their website and all the events will be updated into their website for business purposes and since their email will send from parents the website and email categorised under Public. Though there is possibility of information leakage is possible it can be avoided by effective administration.
As mentioned earlier database is vital in business. So, periodic backups, access privileges, continuous monitoring and encrypting the data in database are the recommendations. Also, using database firewall, web application firewall can be considered along with keeping database backup in encrypted format (Nordic, 2018).
Since internal communications and information sharing are necessary it’s recommended to use IDS, IPS to monitor the email and activities of employees. Also, Periodic audit on internal policies (primary functions of members) is advisable.
Physical devices require high level security to make sure the data is safe. Using CCTV and threat detection sensors along with proper monitoring are recommended to make sure there is no unauthorised access to the systems.
Since, public resources are obvious for business website and email are categorised in public. Also, it’s recommended to administrator to authorise before posting anything in website to ensure it don’t cause negative impact on business. Using strong and secure passwords, restricting email attachment size are recommended along with proper security awareness training (Kevin, 2019).
In current world information security plays a vital role. So, it’s always better to ensure that the information is secure from both internal and external threats. So, by performing periodic risk assessments will helps the organizations to keep their information safe and gives more insight about the security.
Our happy customers
They are fast in responding to homework questions. they have the best technical writers. Thanks for helping me with my programming doubts.
I contact to disklib for homework, they help me out, despite there was some technical issue they gone through extra mile for me and provide me good quality work in first priority. 100% recommended.
Desklib's study resources are best & unique. Their study database is easy to access and easy to use.
100 % recommended.