During this assignment, you will conduct a full risk assessment against the same corporate profile selected earlier. Based on the information obtained from previous assignments, provide a synopsis on how to manage identified risks, and describe the tools and strategies that will ensure network security.
Prerequisite: Using a vulnerability scanner obtained for the previous assignment, conduct a full scan against all servers in the domain. (This information will be used in Part 3 of the assignment.)
Use the following guidelines to create a four to five-page report.
Part 1: Prepare for Risk Management (“Establish a Framework for Managing Risk”)
List the corporate requirements (i.e., standards, laws) associated with the company. Briefly explain the impact of non-compliance.
Develop categories and a classification method for company information systems. List at least eight categories for various people, processes, hardware, software, and data applicable to the company. Describe the data/system classification scheme as well as the reasons for selecting it.
Part 2: Identify Risk (“Where is the Risk to My Information Assets”)
List a minimum of 20 assets (data, systems, people, processes, etc.) and measure their value to the company (Low, Moderate, High, Critical) in a simple table.
In one column, identify assets that can impact company compliance, customer satisfaction, competitive advantage, or business productivity (i.e., Business Impact Analysis).
Part 3: Assess Risk (“How Severe is the Risk to My Information Assets”)
Identify, measure (quantitative and qualitative), and mitigate key information technology risks. In addition, describe each of the tasks associated with risk framing, assessment, response and monitoring. Refer to risk models (e.g., NIST SP 800-39 Managing Information Security Risk).
Select the optimal risk assessment methodology based on corporate needs. Compare the advantages/disadvantages of your selected risk assessment methodology to others used in the industry.
Provide a diagram of the matrix that was used to assess risk.
Define for each asset the potential threats, the likelihood the threat will occur or be successful, and the impact loss the asset will have on the company (Risk Mitigation Economics). Note: This includes disasters, loss of power, employee resignations, system malfunctions, drop-in customers, etc.
Using the vulnerability scan, list in a table a minimum of 15 identified threats (open vulnerabilities) to the information systems, the impact of the exploited vulnerability, and remediation steps (countermeasures) to remove or reduce either impact or likelihood from threat.
Part 4: Define Risk Appetite (“How Much Risk is Acceptable to My Organization”)
Review the characteristics of a risk appetite within Chapter 6 of the course text.
Establish a Risk Appetite Statement for the company.
Define the Risk Tolerance of the company.
Part 5: Control Risk
In 300–500 words, identify and describe the Risk Control Strategy adopted by the company. Ensure the strategy is in alignment with corporate requirements (standards, laws, frameworks, security policies, etc.) and risk appetite.