Description
The objective of this assignment is to develop a Risk Assessment Report for an organization including companies and government agencies.
You will conduct the analysis using only public information from the internet, organizational and news reports, journal articles, etc., and information based on judicious, believable extrapolation of that information. Consider the organization’s information assets (computing and networking infrastructure), vulnerabilities, and legitimate threats that can exploit those vulnerabilities.
There is a wealth of business-oriented and technical information that can be used to infer likely vulnerabilities and assets for an organization. It is recommended that students select their organizations based at least in part on ease of information gathering, from a public record perspective.
Instructions
(NOTE: You will complete steps 1 and 2 by the end of Week 4 to submit as the Portfolio Project Milestone.)
- Select an organization that has sufficient publicly available information to support a reasonable risk analysis, particularly including threat and vulnerability identification.
- Create an organization profile that includes:
- Name and location
- Management or basic organization structure
- Industry and purpose (i.e., the nature of its business)
- Financial information, standing in its industry, reputation
- Relevant aspects of the company/organization’s computing and network infrastructure
Note: Do not try to access more information through Social Engineering or through attempted cyber-attacks or intrusion attempts. This is a look at how readily available information might be used from a risk management perspective.
- Conduct the analysis using the National Institute of Standards and Technology (NIST) Risk Management Guide for Information Technology Systems (Links to an external site.).
- Focus on identifying threats and vulnerabilities faced by the organization.
- Based on the threats and vulnerabilities, determine the likelihood and severity of impact that would occur should each of the threats materialize. This should produce a listing of risks, at least roughly ordered by their significance to the organization.
- For the risks you have identified, suggest ways that the subject organization might respond to mitigate the risk.
Your well-developed report must meet the following requirements.
- Include 15 to 20 pages, not including the cover page and reference page.
Unformatted Attachment Preview
Purchase answer to see full attachment
Explanation & Answer
Hey am through. Everything is attached. Thank you
Running head: RISK ASSESSMENT REPORT FOR INTELLECTSOFT
Risk Assessment Report for Intellectsoft
Institution
Instructor Name
Date
1
RISK ASSESSMENT REPORT FOR INTELLECTSOFT
2
1. Introduction
Intellectsoft will utilize risk assessment to establish the extent of the possible threats and
risks related to the company’s network and information systems. The results of this exercise aids
in determining that proper controls for minimizing and eradicating risks in the risk mitigation
activities. The occurrence of risks depends on the likelihood of a particular source of threat
causing a vulnerability within a system whose impact adversely affect the company. In order to
establish the likelihood of an adverse event in the company, all threats to the company’s IT
system need to be analysed together with the possible vulnerabilities as well as the controls put
in place (Kouns & Minoli, 2011).
The risk assessment for Intellectsoft will entail numerous phases like characterization of
the systems, threats and vulnerabilities identification, analysis of security controls, determination
of the likelihood of risks, analysis of risk impacts, determination of risks and recommendations
on controls to implement.
1.1 Purpose
The purpose of the risk assessment is to give Intellectsoft IT system administration an
evaluation on the sufficiency of the existing IT security measures that secure the company’s
information assets. The report determines all threats and vulnerabilities in the company’s IT
system and reviews the likelihood that a particular vulnerability has chances of being exploited
as well as assess their impact by determining the overall risk level.
1.2Scope
The risk assessment exercise will cover the physical security reviews of the company’s IT
infrastructure. It will cover the data centres the General Support System situated in the
company’s headquarter offices and the company’s backbone network.
RISK ASSESSMENT REPORT FOR INTELLECTSOFT
3
2. Identification of Threats
Identification of threat source
A threat source refers to scenarios or events that have the capability to cause damage to
IT infrastructure and systems. Threat sources are classified as natural, human and environmental
categories.
Natural threats are caused by natural occurrences like earthquakes, floods and
tornadoes while human threats are events caused by humans intentionally or deliberately. For
example, inadvertent data entry, malicious software upload, unapproved access to private data
and network oriented attacks. The environmental threats may include persistent power failure
and leakage from drainage (Broder & Tucker, 2012).
3. Identification of Vulnerabilities
Threat analysis of the IT system for the organization would entail vulnerabilities analysis linked
with the IT system settings. These weaknesses may be found in the IT system architecture,
design or in the company policies, procedures and practices as well as in the management of the
IT infrastructure (hardware, software, data and facilities).
Threats and Potential Impacts
RISK ASSESSMENT REPORT FOR INTELLECTSOFT
Threat source
4
Description
Impact/threat action
Faulty electrical circuits may cause an accidental
DOS (Denial of
fire that could destroy the company’s IT system
Service)
equipment or IT facilities
Damage
Leaking drainage system may damage
DOS
Intellectsoft IT infrastructure and other system
Damage
Natural threats
Fire
Water Damage
components.
Natural events
All kinds of natural events like earthquakes,
DOS
hurricanes and tornadoes may cause destruction
Damage
or affect Intellectsoft IT infrastructure
Unapproved data
alteration
Data Leakage
Human threats
Espionage,
Espionage refers to a deliberate action of
DOS
Sabotage and
acquiring company’s confidential data. Sabotage
Damage
Vandalism
refers to a planned damage or malicious
Unapproved data
alteration of information assets for personal gains
alteration
while vandalism is a deliberate damaging of the
Data Leakage
company’s system resources without a clear goal.
Loss of Data
Intentional modification of system data affecting
Unapproved data
Integrity
its integrity
alteration
Theft or Pilferage
Theft refers to the illegal removal of the
DOS
organization’s computer hardware or media.
Data Leakage
Pilferage refers to the illegal removal of company
property by employees with access permission to
the property.
RISK ASSESSMENT REPORT FOR INTELLECTSOFT
5
Utilization of the company IT systems by
Unapproved data
authorized employee for illicit monetary gain.
alteration
Malicious program
Malicious applications like viruses or worms can
DOS
code
infiltrate the company’s IT systems and cause
Damage
data damage or alter the normal functioning of
Unapproved data
software.
alteration
Fraud
Data Leakage
End user
Unpremeditated administrator and user errors
omissions or errors may cause improper modification on applications
and support system modules.
DOS
Damage
Unapproved data
alteration
Data Leakage
Information
This is also referred to as browsing which is
Disclosure
deliberate unauthorized access to private data by
Data Leakage
intruders or by employees with access credentials
but without the need to read them.
Eavesdropping/
This is a deliberate unauthorized access to private Data Leakage
data
data via technical methods such as
interception
sniffing/interception or by employees with some
access credentials/privileges but without the need
to read them.
Hacking or Social
Hackers may deliberately modify software
DOS
Engineering
applications and bypass the set system security
Unauthorized alteration
controls, alter data and lead to denial of service
Unapproved
while social engineering refers to the activities
leak/exposure
where the hacker collects data from the system
user to propagate his/her actions of altering or
manipulating the IT system.
Physical Threats
RISK ASSESSMENT REPORT FOR INTELLECTSOFT
6
Hardware or
Computer hardware may break down or
DOS
Equipment Failure
malfunction leading to denial of service to the
Unapproved data
system users. Unauthorized modification of
alteration
hardware configuration leads to inadequacy of
Data Leakage
the set security configuratio...