Risk Assessment Report for Data Services

Verified

Added on 2019/09/16

AI Summary

This document presents a comprehensive risk assessment report for Data Services and Systems Pvt. Ltd., a hypothetical data analytics company based in China. The report outlines the company's operations, scope of its Information Security Management System (ISMS), and information security policy. It identifies various adversarial and non-adversarial risks that could impact the organization, including potential threats and vulnerabilities. The report also discusses responses to these identified risks and proposes information security controls based on ISO 27002 standards. The company's reliance on online communication and data storage is highlighted, emphasizing the importance of robust security measures.

0
Risk Assessment
Data Services and Systems Pvt. Ltd.
Student Name:
Course Name:

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

1
Abstract
200

2
Table of Contents
Abstract......................................................................................................................................1
Introduction................................................................................................................................3
Scope of ISMS...........................................................................................................................3
Information Security Policy Statement......................................................................................3
Risk Assessment.........................................................................................................................3
Information Security Risks....................................................................................................3
Adversarial Risk.................................................................................................................4
Non-Adversarial Risk.........................................................................................................5
Response to Identified Risks......................................................................................................6
Information Security Controls....................................................................................................6
Conclusion..................................................................................................................................6
References..................................................................................................................................6

3
Introduction
The company that has been selected for the assessment is Data Services and Systems Pt. Ltd.
It is a hypothetical company based out of Guiyang City, China. The company provides data
analytics services to various clients around the world. The client of the company ranges from
large companies to small companies and some governmental organizations. The company
operates with around fifty employees who work in-house. Along with that, the company also
has many individuals working for it as freelancers. The freelancers are located in various
countries around the world. They provide their services to the company from their respective
home countries. All the activities of the company are technology based and company has
never involved itself in the activities that require offline management. There are some
activities such as field survey for data collection that is conducted by country specific
freelance teams. The company is smaller in size and it has no head office outside China. The
only method that has been considered to operate for other countries is through the internet
based services. The data collection and management of those countries are taken care at the
head office. The data collection and compilation is done by the freelancers.
The company management is concerned about the various security risks that might impact the
organization’s activities in the days to come. Some of the concerns are related to security of
the data and information from physical and technical damages and others. Therefore, the
management is willing to implement Information Security Management System (ISMS) to
ensure that all the risks are taken care. Various chapters in this section are focused on
identifying the likely risks that can occur and then devising appropriate mitigations plans for
them. The second chapter discusses about the scope of the ISMS for the company. The third
chapter discusses the information security policy statement. The fourth chapter assesses the
various security risks. The fifth chapter identifies the possible responses to the assessed risks
and the sixth chapter discusses the various security controls as per ISO 27002.
Scope of ISMS
The company is situated in Guiyang City which is the capital of Guizhou province of
Southwest China. The city receives flood almost every year. The company is physically
present at this city only and there is no other physical presence in any part of the world.
However, as per the business market is concerned, the company covers various countries
such as USA, European Countries, India, and others. The company is into data analytics and
management. The clients of the company hire it to conduct various forms of analysis to
understand and analyse the market trends and other aspects. The data is collected by the
company through online network of numerous freelancers active throughout the world. The
operations department of the company handles these freelancers. The department assigns
responsibilities to these freelancers through email and chat. The completed tasks are received
through emails. At present the company uses QQ as the mail and chat messenger to conduct
its business worldwide. The freelancers use QQ International to connect with the operations
department. The report related to completion of particular task such as data collection from

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

4
field, data collation and other activities are informed to the Finance department that in the end
of each month distributes the finance. The
The dependency on the online communication is huge within the company and it cannot
operate even for a single day without the presence of this aspect. The company has current 65
desktops, in which around ten are idle and the rest are functional. The operations department
uses around 30 of these computers and the rest of the computers are distributed among other
departments. All the computers are connected with High Speed Broadband for the internet
connection. The company also uses large data storage centre which is situated on the ground
floor of the company headquarter. The data centre of the company uses various components
for its functioning. Some of the important components are heat exchanger, transformers,
server room, cooling-units, extinguishing gas, diesel generators, cooling water, batteries,
telecommunications, and video cameras. The company uses different software available for
different types of data analysis and maintenance such as IBM’s SPSS, R, and others. There
are some more technological assets such as iPads, laptops, mobile phones, landline
connection, and others.
The company’s headquarter is a six storey building. The ground floor has the data centre, and
the rest of floors are for staffs and company management. Other than the technological assets,
and building, the company has furniture sets used by the staffs to work.
Information Security Policy Statement
Given below is the information security policy that is active within the company:
1. The company will safeguard the entire information received from the client.
2. The data and information will be kept confidential from access to any third party until
ordered to do so by the management.
3. It should be ensured that the network infrastructure available is reliable and sound for
proper functioning of the business.
4. The compliance to international information security standards should be followed.
5. The management of the organization will handle all the security related issues and the
changes in the policy will on its discretion.
6. The continued assessment of the risks should be done to ensure any shortcomings are
identified as early as possible.
7. Before or after the implementation of any changes within the organization should be
followed by security assessment.
8. The access to sensitive information will be protected within multiple layers and will
be accessed by authorized personnel only.
9. The information should be segregated into sensitive and general information the
moment it arrives to make a clear distinction and management.
10. While at employment, all the information generated by a particular employee will be
the asset of the company and will be stored in the company repository.

5
11. The employees are instructed not to use their personal equipment like laptops,
smartphones, and other such thing within the company premise to access the data and
information of the company.
12. Use of any external storage device is not allowed with any computer or other
electronic equipment of the company.
13. All security issues must be reported to the management at shortest possible time.
Risk Assessment
This section is concerned with identification of various security risks that are likely to
threaten the functioning of the business. There are twelve security risks that have been
identified. Six of them are adversarial risk and the rest are non-adversarial risk. Adversarial
risk refers to the risks that are

6
Adversarial Risk
Threa
t
Event
Threat
Source
s
Threat Source
Characteristics
Relevan
ce
Likelihoo
d of
Attack
Initiation
Vulnerabiliti
es and
Predisposing
Conditions
Severity
and
Pervasivene
ss
Likelihoo
d
Initiated
Attack
Succeeds
Overall
Likelihoo
d
Level
of
Impac
t
Ris
k
Capabilit
y
Inten
t
Targetin
g

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

7
Non-Adversarial Risk
1 2 3 4 5 6 7 8 9 10 11
Threa
t
Event
Threat
Sources
Range
of
Effect
s
Relevance Likelihood
of Event
Occurring
Vulnerabilities
and
Predisposing
Conditions
Severity and
Pervasiveness
Likelihood
Event Results in
Adverse Impact
Overall
Likelihood
Level
of
Impac
t
Risk