CO4512 - Information Security Management Risk Assessment: CONVXYZ
VerifiedAdded on 2023/04/11
|15
|2804
|294
Report
AI Summary
This report utilizes the ISO 27005 standard for information security risk management, focusing on CONVXYZ. It details the advantages of using ISO 27005 to improve organizational security levels, emphasizing the various layers of risk assessment, including vulnerability, existing controls, assets, and vulnerabilities. The report includes asset specifications, threat and vulnerability analysis for each asset (servers, mail server, routers, firewall, database, computers), likelihood level computation, impact table specification, and risk identification using a Boston Grid Matrix. Furthermore, the report outlines risk treatment plans and recommendations for enhancing information security management within organizations. Desklib offers a wide range of solved assignments and past papers for students seeking academic support.
Running head: MANAGEMENT OF INFORMATION SECURITY
Management of information security
Name of the student:
Name of the university:
Author note:
Management of information security
Name of the student:
Name of the university:
Author note:
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
1MANAGEMENT OF INFORMATION SECURITY
Executive Summary
This report aims to make use of ISO 27005 standard for the management of security risk
(Agrawal, 2017). The main advantage of using this ISO 27005 standard for managing security
risk and improving the security level of organizations and businesses. There are several layers
of this risk assessment to manage the risk security; risk of the information security depends
upon various factors such as vulnerability, existing controls, assets and vulnerabilities (Mayer
et al, 2016). This risk assessment provides the monitoring of security risk and its factors to
manage the risk management and to treat the risk. After knowing the risk then only it is
possible to treat risk of security and to get detailed information of the risk, ISO 27005
security risk management is used. There are several benefits of this risk management model
in the business area such as the major undertaking for an organization it is necessary to gain
the backing, sponsorship and support of the management executive. Thereafter the report
ends by listing observations in conclusion section.
Executive Summary
This report aims to make use of ISO 27005 standard for the management of security risk
(Agrawal, 2017). The main advantage of using this ISO 27005 standard for managing security
risk and improving the security level of organizations and businesses. There are several layers
of this risk assessment to manage the risk security; risk of the information security depends
upon various factors such as vulnerability, existing controls, assets and vulnerabilities (Mayer
et al, 2016). This risk assessment provides the monitoring of security risk and its factors to
manage the risk management and to treat the risk. After knowing the risk then only it is
possible to treat risk of security and to get detailed information of the risk, ISO 27005
security risk management is used. There are several benefits of this risk management model
in the business area such as the major undertaking for an organization it is necessary to gain
the backing, sponsorship and support of the management executive. Thereafter the report
ends by listing observations in conclusion section.
2MANAGEMENT OF INFORMATION SECURITY
Table of Contents
Introduction................................................................................................................................2
Discussion..................................................................................................................................3
Risk Assessment.........................................................................................................................3
Owner Specification...................................................................................................................3
System Boundaries.................................................................................................................3
Primary and Secondary Asset................................................................................................4
Threat of each assets..............................................................................................................4
Vulnerability for each Assets.................................................................................................5
Likelihood level computation................................................................................................5
Impact table specification......................................................................................................6
Risk Identification..................................................................................................................7
Section 1.................................................................................................................................8
Section 2.................................................................................................................................9
Section 3.................................................................................................................................9
Section 4 (Risk treatment plan)............................................................................................10
Summary..................................................................................................................................10
Recommendation......................................................................................................................11
References................................................................................................................................12
Table of Contents
Introduction................................................................................................................................2
Discussion..................................................................................................................................3
Risk Assessment.........................................................................................................................3
Owner Specification...................................................................................................................3
System Boundaries.................................................................................................................3
Primary and Secondary Asset................................................................................................4
Threat of each assets..............................................................................................................4
Vulnerability for each Assets.................................................................................................5
Likelihood level computation................................................................................................5
Impact table specification......................................................................................................6
Risk Identification..................................................................................................................7
Section 1.................................................................................................................................8
Section 2.................................................................................................................................9
Section 3.................................................................................................................................9
Section 4 (Risk treatment plan)............................................................................................10
Summary..................................................................................................................................10
Recommendation......................................................................................................................11
References................................................................................................................................12
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
3MANAGEMENT OF INFORMATION SECURITY
Introduction
This document is going to use ISO 27005 standard for the management of security
risk for CONVXYZ (Agrawal, 2017). The main advantage of using this ISO 27005 standard
for managing security risk and improving the security level of organizations and businesses.
There are several layers of this risk assessment to manage the risk security; risk of the
information security depends upon various factors such as vulnerability, existing controls,
assets and vulnerabilities (Mayer et al, 2016). This risk assessment provides the monitoring of
security risk and its factors to manage the risk management and to treat the risk. After
knowing the risk then only it is possible to treat risk of security and to get detailed
information of the risk, ISO 27005 security risk management is used. There are several
benefits of this risk management model in the business area such as the major undertaking for
an organization it is necessary to gain the backing, sponsorship and support of the
management executive. Improvement of opportunities, identification, and risk to the
information system.
This report will be include risk assessment of information security. Risk, threats and
vulnerability of the system provided to identify the security level of the system that is website
of CONVXYZ based on ISO 27005 standard. This report will also discuss about the owner
specified, primary and secondary assets and the threats and vulnerability that are related with
this assets. Risk identification carried out with respective risks plotted in Boston grid matrix.
In the last, there will be recommendation to improve the management of information security
for the organizations and business areas.
Introduction
This document is going to use ISO 27005 standard for the management of security
risk for CONVXYZ (Agrawal, 2017). The main advantage of using this ISO 27005 standard
for managing security risk and improving the security level of organizations and businesses.
There are several layers of this risk assessment to manage the risk security; risk of the
information security depends upon various factors such as vulnerability, existing controls,
assets and vulnerabilities (Mayer et al, 2016). This risk assessment provides the monitoring of
security risk and its factors to manage the risk management and to treat the risk. After
knowing the risk then only it is possible to treat risk of security and to get detailed
information of the risk, ISO 27005 security risk management is used. There are several
benefits of this risk management model in the business area such as the major undertaking for
an organization it is necessary to gain the backing, sponsorship and support of the
management executive. Improvement of opportunities, identification, and risk to the
information system.
This report will be include risk assessment of information security. Risk, threats and
vulnerability of the system provided to identify the security level of the system that is website
of CONVXYZ based on ISO 27005 standard. This report will also discuss about the owner
specified, primary and secondary assets and the threats and vulnerability that are related with
this assets. Risk identification carried out with respective risks plotted in Boston grid matrix.
In the last, there will be recommendation to improve the management of information security
for the organizations and business areas.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
4MANAGEMENT OF INFORMATION SECURITY
Risk Assessment
Asset Specification
SysID Components Platform
S01 Servers Windows
Server 2016
S02 Mail Server Apache
HTTP
Server
S03 Routers RV320
S04 Firewall Firepower
9300
S05 Database IBM DB2
S06 Computers Windows 10
Threat of each assets
Computer
Virus: One more major threat can be viruses, which can infect if the antivirus software is
outdated and this may cause potential loss of sensitive information available for the hackers.
Database
Excess privileges: Privileges are sometimes granted to organizational members that may
exceed the scope of their particular role. These privileges can be misused to cause damages to
company information and integrity.
Firewall
Risk Assessment
Asset Specification
SysID Components Platform
S01 Servers Windows
Server 2016
S02 Mail Server Apache
HTTP
Server
S03 Routers RV320
S04 Firewall Firepower
9300
S05 Database IBM DB2
S06 Computers Windows 10
Threat of each assets
Computer
Virus: One more major threat can be viruses, which can infect if the antivirus software is
outdated and this may cause potential loss of sensitive information available for the hackers.
Database
Excess privileges: Privileges are sometimes granted to organizational members that may
exceed the scope of their particular role. These privileges can be misused to cause damages to
company information and integrity.
Firewall
5MANAGEMENT OF INFORMATION SECURITY
Protocol attacks: These are among the DDoS attacks that specifically target Firewalls.
CONVXYZ uses a standalone firewall device which if compromised can be disastrous for the
company.
Router
VPN filter: Among the common threats to home and small business routers and is hence a
concern for CONVXYZ. This threat cannot be removed by means of a simple reboot.
Mail Server
Spam: These are the repetitive junk emails from newsgroups and other random sources. Since
each of CONVXYZ staff members are assigned email accounts managed by the mail server,
unsolicited mails can prove as a security concern.
Server
Trojan: The servers of CONVXYZ are running windows server 2012 for which numerous
Trojans exist. Trojans are severe security risks and can massively impact the company
network.
Vulnerability for each Assets
Computer
CVE-2019-0879: This vulnerability is present is the windows Jet Database engine by which
are improperly handled in memory. The vulnerability lets attackers remotely execute random
codes.
Database
Protocol attacks: These are among the DDoS attacks that specifically target Firewalls.
CONVXYZ uses a standalone firewall device which if compromised can be disastrous for the
company.
Router
VPN filter: Among the common threats to home and small business routers and is hence a
concern for CONVXYZ. This threat cannot be removed by means of a simple reboot.
Mail Server
Spam: These are the repetitive junk emails from newsgroups and other random sources. Since
each of CONVXYZ staff members are assigned email accounts managed by the mail server,
unsolicited mails can prove as a security concern.
Server
Trojan: The servers of CONVXYZ are running windows server 2012 for which numerous
Trojans exist. Trojans are severe security risks and can massively impact the company
network.
Vulnerability for each Assets
Computer
CVE-2019-0879: This vulnerability is present is the windows Jet Database engine by which
are improperly handled in memory. The vulnerability lets attackers remotely execute random
codes.
Database
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
6MANAGEMENT OF INFORMATION SECURITY
CVE-2015-1935: This vulnerability lets the attacker cause denial of service (DoS) attacks or
execution of arbitrary codes. Since it affects both windows and DB2, this counts as a major
concern for CONVXYZ.
Firewall
CVE-2019-1600: The vulnerability affects firepower 9300 series firewalls and lets local
attackers to access sensitive information. Attackers through infected staff computers can take
advantage of this vulnerability and cause massive losses for CONVXYZ.
Router
CVE-2019-1653: The vulnerability lies in the web-oriented management of Cisco routers
RV325 and RV320. Sensitive information of CONVXYZ can be stolen by attackers through
this risk.
Mail Server
CVE-2018-11763: With the help of this vulnerability in Apache HTTP Server, attackers send
large sets of configuration frames through which clients occupy connections, threads to
servers and CPU resources without total paralysis of network.
Server
CVE-2018-8136: This vulnerability in servers is another risk that lets attackers remotely
execute arbitrary codes. Since CONVXYZ uses 5 physical servers, this vulnerability can be a
major concern.
Likelihood level computation
Likelihood of determines the probability that a threat caused by source of threat that
will take place against vulnerability. To identify that the risk assessment are consistent , this
is very much needed to define the likelihood on all risk assessments. Three levels of
CVE-2015-1935: This vulnerability lets the attacker cause denial of service (DoS) attacks or
execution of arbitrary codes. Since it affects both windows and DB2, this counts as a major
concern for CONVXYZ.
Firewall
CVE-2019-1600: The vulnerability affects firepower 9300 series firewalls and lets local
attackers to access sensitive information. Attackers through infected staff computers can take
advantage of this vulnerability and cause massive losses for CONVXYZ.
Router
CVE-2019-1653: The vulnerability lies in the web-oriented management of Cisco routers
RV325 and RV320. Sensitive information of CONVXYZ can be stolen by attackers through
this risk.
Mail Server
CVE-2018-11763: With the help of this vulnerability in Apache HTTP Server, attackers send
large sets of configuration frames through which clients occupy connections, threads to
servers and CPU resources without total paralysis of network.
Server
CVE-2018-8136: This vulnerability in servers is another risk that lets attackers remotely
execute arbitrary codes. Since CONVXYZ uses 5 physical servers, this vulnerability can be a
major concern.
Likelihood level computation
Likelihood of determines the probability that a threat caused by source of threat that
will take place against vulnerability. To identify that the risk assessment are consistent , this
is very much needed to define the likelihood on all risk assessments. Three levels of
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
7MANAGEMENT OF INFORMATION SECURITY
likelihood are low as 0-25% during one-year period chances of successful exercise of threat,
medium as 26-75% during one-year period chances of successful exercise of threat., High as
76-100% during one-year period chances of successful exercise of threat.
This likelihood definition describe the entire bell curve, along with medium being
twice as significant as low or high.
The likelihood table and the risk table is given below as follows:
Virus
CVE-
2019-
0879
DDoS
CVE-
2018-
11763
SPAM
Table 1 Likelihood Matrix
Protocol
Attack
CVE-
2015-
High
likelihood
Low
likelihood
Medium
likelihood
likelihood are low as 0-25% during one-year period chances of successful exercise of threat,
medium as 26-75% during one-year period chances of successful exercise of threat., High as
76-100% during one-year period chances of successful exercise of threat.
This likelihood definition describe the entire bell curve, along with medium being
twice as significant as low or high.
The likelihood table and the risk table is given below as follows:
Virus
CVE-
2019-
0879
DDoS
CVE-
2018-
11763
SPAM
Table 1 Likelihood Matrix
Protocol
Attack
CVE-
2015-
High
likelihood
Low
likelihood
Medium
likelihood
8MANAGEMENT OF INFORMATION SECURITY
1935
DDoS
VPNfilter
CVE-
2019-1653
Table 2 Risk Matrix
Table 3 Risk assessment using Boston Grid Matrix
For risk assessment using Boston grid matrix, there are four section as mentioned below.
Section 1
This section will be consist of six different fields that needs to be filled, where the
first one is date, this will contain the date of the risk assessment when it was completed
(Jouini and Rabai, 2016). Second is name of the person who did this assessment and it is not
necessarily that the risk control owner. After this the it is required to mention post of the
person who did this assessment. Department name of the risk that has been identified and
then the risk assessment number that will be numbered as consecutively, that provides
auditable trail of activeness and treatment. And the last there will be type of the risk that has
been found from the risk assessment.
Section 2
This section has six different sub-sections that will contain the code, severity,
likelihood, categories of risk, rating of risk and risk. The first one will be the sequential
number if the identified risk, that will be used for department information to give a unique
code to each risk and to register it. In the risk section, this will describe the risk and what are
the consequences of this risk and what are the possible outcomes of the risk. In the categories
1935
DDoS
VPNfilter
CVE-
2019-1653
Table 2 Risk Matrix
Table 3 Risk assessment using Boston Grid Matrix
For risk assessment using Boston grid matrix, there are four section as mentioned below.
Section 1
This section will be consist of six different fields that needs to be filled, where the
first one is date, this will contain the date of the risk assessment when it was completed
(Jouini and Rabai, 2016). Second is name of the person who did this assessment and it is not
necessarily that the risk control owner. After this the it is required to mention post of the
person who did this assessment. Department name of the risk that has been identified and
then the risk assessment number that will be numbered as consecutively, that provides
auditable trail of activeness and treatment. And the last there will be type of the risk that has
been found from the risk assessment.
Section 2
This section has six different sub-sections that will contain the code, severity,
likelihood, categories of risk, rating of risk and risk. The first one will be the sequential
number if the identified risk, that will be used for department information to give a unique
code to each risk and to register it. In the risk section, this will describe the risk and what are
the consequences of this risk and what are the possible outcomes of the risk. In the categories
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
9MANAGEMENT OF INFORMATION SECURITY
section it will search for the categories of the risk falls as per the matrix. Likelihood and
severity are the score of the risk that profiling the grid. Rating of the risk is identified as the
likelihood multiplied with the severity (likelihood x severity).
Section 3
This section consist of eight different sub-sections that are as follows, The first one is
control measure in place that describe controls in all the places. Second field is likelihood and
the 3rd one is severity and both of this will score of the residual of the risk with controls in
place. Fourth one is rating of the risk that has been identified and rate this risk that will be
done using likelihood multiplied with the severity. 5th is controls which is required further as
yes or no, this is needed if rating of the risk is 9 or high. 6th is review of the frequency, this
frequency review will describe about how risk can be overviewed and what are the number
of criteria, rating of the risk and how important is this risk. In the second last that is 7th field
is what should be the next date of review this will plot realistically when the next review
control measure. In the last section is owner, owner is responsible for the risk control. The
treatment plan will be effective and will be review at the time of risk management group
discussion or the time of proposing management risk planning.
Section 4 (Risk treatment plan)
This section has header that insert the department that relates this risk (Matulevičius,
2017). This section contains eight columns that are as follows. Column 1, this column will
take the number which is equal to the finding number n in the risk assessment using. Column
2, This column will take the risk as described from the matrix risk assessment. Column 3,
This will take the final rating of the risk identified from the assessment that is residua risk.
Column 4, This column will define the necessary action which is required and what is the
control. Column 5, this column will have the measure of control by the owner. In the 6th
column, it will contain the verification of successful control is done or not and what are the
section it will search for the categories of the risk falls as per the matrix. Likelihood and
severity are the score of the risk that profiling the grid. Rating of the risk is identified as the
likelihood multiplied with the severity (likelihood x severity).
Section 3
This section consist of eight different sub-sections that are as follows, The first one is
control measure in place that describe controls in all the places. Second field is likelihood and
the 3rd one is severity and both of this will score of the residual of the risk with controls in
place. Fourth one is rating of the risk that has been identified and rate this risk that will be
done using likelihood multiplied with the severity. 5th is controls which is required further as
yes or no, this is needed if rating of the risk is 9 or high. 6th is review of the frequency, this
frequency review will describe about how risk can be overviewed and what are the number
of criteria, rating of the risk and how important is this risk. In the second last that is 7th field
is what should be the next date of review this will plot realistically when the next review
control measure. In the last section is owner, owner is responsible for the risk control. The
treatment plan will be effective and will be review at the time of risk management group
discussion or the time of proposing management risk planning.
Section 4 (Risk treatment plan)
This section has header that insert the department that relates this risk (Matulevičius,
2017). This section contains eight columns that are as follows. Column 1, this column will
take the number which is equal to the finding number n in the risk assessment using. Column
2, This column will take the risk as described from the matrix risk assessment. Column 3,
This will take the final rating of the risk identified from the assessment that is residua risk.
Column 4, This column will define the necessary action which is required and what is the
control. Column 5, this column will have the measure of control by the owner. In the 6th
column, it will contain the verification of successful control is done or not and what are the
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
10MANAGEMENT OF INFORMATION SECURITY
benefits of this supervising. Column 7 will have all the important key dates that affects the
control. In the last column 8, that agreed date of frequency and review.
Impact table specification
(Soomro et al, 2016)Impact table specification for describing the risk level is
mentioned below.
Confidentiality Availability Integrity
Low Limited effect is
caused due to loss of
confidentiality.
Limited effect is
caused due to loss of
availability on the
organization.
Limited effect will
be caused due to
loss of integrity to
the organization
Medium Serious effect is caused
due to loss of
confidentiality of the
organization.
Serious effect may
caused due to loss
availability of
integrity on the
organization.
Serious effect is
caused due to loss
of integrity on the
organization.
High Severe effect is caused
due to loss of
confidentiality on the
organization.
Severe effect is
caused due to loss of
availability on the
organization.
Severe effect is
caused due to loss
of integrity on the
organization.
Existing control identification: There is list of controls that can be found in ISO 27005
Vulnerability identification: This will identify the existing probable (Liu et al, 2018),
procedures and process, hardware and software or the communication necessary items, partial
dependence on external parties.
benefits of this supervising. Column 7 will have all the important key dates that affects the
control. In the last column 8, that agreed date of frequency and review.
Impact table specification
(Soomro et al, 2016)Impact table specification for describing the risk level is
mentioned below.
Confidentiality Availability Integrity
Low Limited effect is
caused due to loss of
confidentiality.
Limited effect is
caused due to loss of
availability on the
organization.
Limited effect will
be caused due to
loss of integrity to
the organization
Medium Serious effect is caused
due to loss of
confidentiality of the
organization.
Serious effect may
caused due to loss
availability of
integrity on the
organization.
Serious effect is
caused due to loss
of integrity on the
organization.
High Severe effect is caused
due to loss of
confidentiality on the
organization.
Severe effect is
caused due to loss of
availability on the
organization.
Severe effect is
caused due to loss
of integrity on the
organization.
Existing control identification: There is list of controls that can be found in ISO 27005
Vulnerability identification: This will identify the existing probable (Liu et al, 2018),
procedures and process, hardware and software or the communication necessary items, partial
dependence on external parties.
11MANAGEMENT OF INFORMATION SECURITY
Summary
Method of risk assessment of information security is easy to use that provides an
overview in the graphical method that affects the business areas. This assessment process
passes through all staff as described by the managers. It is required to perform risk analysis of
information security on a regular basis to keep the system secure and safe. This process is
although not purely accurate but it depend on the judgement and knowledge decision from
people. It is very much important to know the vulnerability and threats that are present in the
system because then only it is possible to treat with the present vulnerability and threats. To
know detailed about the threats or vulnerability it is very much needed to have grid matrix
that will be useful for the risk assessment. The grid matrix identifies the level , type and detail
of the risk that has been found from the risk assessment. There are various factors upon
which risk is dependent and varies as well. Likelihood of the vulnerability leads to
consequences of the threats or the vulnerability caused by the other threats. Likelihood makes
the chain system for the threats and it is very much important to eliminate from getting
consequences of likelihood. In the impact table of the information security, it defines the
level of the risk and what are the probability of causing damage to the system or organization.
This risk assessment makes a big impact for the information security management because
without having updated information about the system and the organization it is not possible to
make changes and keep the system at a safe place.
Recommendation
From the above discussion, it is recommended that the organization needs to perform
risk assessment on a regular basis to have the updated information of their organization and
take action where it is required. Antivirus software needed to be updated on regular basis and
this is very much important. Organization needs to make terms and condition to keep the
system information safe and secure from getting unauthorized access. It is also recommended
Summary
Method of risk assessment of information security is easy to use that provides an
overview in the graphical method that affects the business areas. This assessment process
passes through all staff as described by the managers. It is required to perform risk analysis of
information security on a regular basis to keep the system secure and safe. This process is
although not purely accurate but it depend on the judgement and knowledge decision from
people. It is very much important to know the vulnerability and threats that are present in the
system because then only it is possible to treat with the present vulnerability and threats. To
know detailed about the threats or vulnerability it is very much needed to have grid matrix
that will be useful for the risk assessment. The grid matrix identifies the level , type and detail
of the risk that has been found from the risk assessment. There are various factors upon
which risk is dependent and varies as well. Likelihood of the vulnerability leads to
consequences of the threats or the vulnerability caused by the other threats. Likelihood makes
the chain system for the threats and it is very much important to eliminate from getting
consequences of likelihood. In the impact table of the information security, it defines the
level of the risk and what are the probability of causing damage to the system or organization.
This risk assessment makes a big impact for the information security management because
without having updated information about the system and the organization it is not possible to
make changes and keep the system at a safe place.
Recommendation
From the above discussion, it is recommended that the organization needs to perform
risk assessment on a regular basis to have the updated information of their organization and
take action where it is required. Antivirus software needed to be updated on regular basis and
this is very much important. Organization needs to make terms and condition to keep the
system information safe and secure from getting unauthorized access. It is also recommended
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 out of 15
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.