Assignment Task
Overview
This assignment provides you an opportunity to perform a risk assessment for a fictional business. You will need to make use of the relevant data security concepts discussed in the lecture and perform your own research on topics related to the task.
The Task
In this assignment, you will play the role of a security consultant. Your client is a fictional organization. The client has requested you to perform a security risk assessment of the organization. You are expected to deliver a formal written report which will be presented to the board. It is required that the information security risk assessment is performed in accordance with NIST SP 800-30 Rev.1 – Guide for Conducting Risk Assessments
Based on the background information about the company given in Appendix 1, perform the required risk assessment and submit a written report. Note that you may make an assumption on information required to complete the task
Executive summary: This must summarise the task and the major findings.
Introduction
Purpose: It must clearly state the reasons for conducting the risk assessment and the objectives that the work aims to achieve.
Scope: It must clearly state what are covered and what are not.
Recommendations: This section must list and explain only the most important findings from the analysis. Typically, they correspond to the items that have the highest risk values as detailed in the risk assessment results subsequently. The recommendations must indicate the vulnerabilities and the possible consequences if they are not immediately addressed. All recommendations need to have correct references to individual items in the risk assessment results.
Risk assessment approach Participants: You will need to list all people involved in the risk assessment, their roles and contact details. – Techniques: You will need to clearly state which methods you use to find out necessary information to identify vulnerabilities, estimate loss, and determine risk values (you must also clearly indicate the information). – Risk model: You need to explain in detail which risk assessment approach (qualitative/quantitative) you use. If you use the qualitative approach, you need to clearly indicate the different levels, explain their interpretations, and finally construct the risk matrix that you will follow. If you use the quantitative approach, you will also need to explain the mathematical equations that you use to calculate the risk values. Importantly, all the risk calculations that you present subsequently need to be consistent with the risk model you choose.
System characterisation: In this section, you will detail all the six components of the information system that you are performing the risk assessment on, including hardware, software, data, procedure, people (or users), and networks. Where applicable, you must show detailed technical information such as model, version, diagrams etc. You should also provide further categorisation for each component for improved clarity.
Vulnerability statement: In this section, you will list all the vulnerabilities that you have found and briefly describe them.
Threat statement: In this section, you will identify all possible threat sources. For each threat source, you list possible threat actions they may perform.
Risk assessment results: In this section, you will assess the risk for each of the vulnerabilities you have discovered above. You must clearly state or make reference to the identified vulnerability, describe the consequent risk, determine the impact and likelihood with justification, evaluate the overall risk, identify the existing control, and evaluate the residual risk. Your risk assessment must address all three security goals: Availability, Integrity, and Confidentiality. Finally, you will recommend relevant control to address the residual risk.