Premium Essay

Security Risk Assessment

Submitted By
Words 793
Pages 4
Executive summary

The main purpose of a threat and risk assessment is to provide recommendations that maximize the protection of integrity, confidentiality and availability while still providing usability and functionality. Insider threat has become a serious information security issues within organizations. Best way to determine the answers to these questions a company or organization can perform a threat and risk assessment. This can be accomplished using either internal or external resources. It is quite important that the risk assessment should be a collaborative process. It is proven that involvement of the various organizational levels the assessment can lead to a ineffective and costly security measure.

Introduction …show more content…
6 that a former AT&T employee have stolen almost 1600 customers data. Employee was sacked because of security breached. Attorney General of Vermont acknowledged in a letter to the customers and also in the website says the former employee may have gained unauthorized access to personal information like Social Security numbers and Customer Proprietary, drivers' licenses, Network Information of users, or important data relating to the users call history including phone calls, time, duration, destination, date, time of each call.( …show more content…
After identification is made we can evaluate how likely and severe the risk is, and then decide what measures should apply to effectively prevent or control the harm from happening.

Likelihood Estimation:

Likelihood
Severity 20% 40% 60% 80% 100%
1 Low Low Moderate Medium High
2 Low Low Moderate Medium High
3 Moderate Moderate Moderate Medium High
4 Medium Medium Medium Medium High
5 High High High High High

Severity Estimation
During risk assessment t scenarios should be consider the severity of the disaster, which depends on the impact and the probability of business disruptions resulting from identified threats. In our case Internal Threats are a major issue in most of the business sector. Company facing loss of thousand to billions because of insider threat so the likelihood of severity is high for Insider threats. http://www.mindtools.com/pages/article/newPPM_78.htm
Likelihood Severity of insider threats: 80% and there is high possibility it can happen in any company.
Likelihood
Severity 20% 40% 60% 80%

Similar Documents

Premium Essay

Security Risk Assessment Process

...Security Risk Assessment P1. Operational risk assessment is the process of determining what threats and vulnerability’s affect an organizations critical business processes. Operation risk assessment is a life cycle process that needs to be conducted often to determine if there are new threats and vulnerability’s to the organization. Without conducting a routine risk assessment an organization is left with exposure to hazards and accidents which lead to a loss. An operational risk assessment consist of risk identification, risk analysis and risk evaluation. The assessment is used to create a risk management policy which gives the best courses of action to mitigate from any threat and vulnerability’s. A risk is the possibility of a loss from exposure to a hazard by conducting an operational risk assessment the end result is to reduce the amount of risk to a project, equipment and personnel. Management are the ones who use risk management to minimize loss which reduces monetary loss and time for the organization. P4. The information assurance control procedures are the identification of assets, the classification of assets. The goals are to protect the confidentiality, integrity of availability of information by providing control measures. They are important because a company assets need to controlled due to so many exposures. The control procedures are used as a set of process and guidelines to ensure that an asset is classified correctly and given the correct level of protection...

Words: 1525 - Pages: 7

Premium Essay

Security Risk Assessment

...Security Risk Assessment Southern New Hampshire University Michael Hallin Security risk analysis, which is also known as risk assessment, is essential to the security of any company and benefits the overall business goal. It is vital in ensuring that controls and costs are fully equal with the risks to which the organization is exposed. Having a well laid plan for disaster recovery comes from a good risk analysis of a company. A company’s IT Business Manager and associated team must identify and assess the organizations assets and give them a value. A good IT risk assessment involves identifying what functions need to be reestablished first after a disaster or an attack to the system. Restoration to full operational capability is significantly enhanced when the company is prepared and has taken appropriate action prior to an emergency or disaster (Group, 2005). The steps to identifying IT risks in a company include: determining which of the company’s assets have the most value to the business, identifying the risks that are applicable to those assets. After the risks are identified, they need to be logically examined to see how likely the risk can occur. If the risk is likely to be a factor, then the companies must take action to mitigate those risks. An example of this would be the company’s exchange server, which in almost all companies is a priority 1 asset, also called an essential entity. A server always has a risk of crashing; an exchange server has databases...

Words: 902 - Pages: 4

Premium Essay

Dlis Information Security Risk Assessment

...| DLIS Compliance Risk Management Plan | | | Battle Creek, MIRich FranklinMauricio MosqueraHerby ThomasLouis Zayas * 13-Jan-14 | | * Table of Contents COVER 1 TABLE OF CONTENTS 2 DOCUMENT CHANGE LOG 3 Project Risk Management Plan Purpose AND SCOPE 4 Key Roles and Responsibilities 4 Risk Management Process and Activities 5 Risk Management Plan Audit Log 5 Risk Assessment and Management Table 6 COMPLIANCE LAWS AND REGULATIONS 8 PROPOSED SCHEDULE 9 Risk Management Plan Approvals 10 * Department: Information Technology Product or Process: Risk Management Document Owner: Battle Creek, MI IT Version | Date | Author | Change Description | 0.1 | 1/6/14 | RFranklin | Initial Draft | 0.2 | 01/12/14 | RFranklin | Revision 1 | 0.3 | 1/13/14 | RFranklin | Revision 2 | * Project Risk Management Plan Purpose and Scope The purpose of this Risk Management Plan is to identify the strategies, methods, and procedures to be used within the Michigan Air National Guard, Battle Creek, Michigan supply chain in identifying, evaluating, and mitigating the risk involved in daily and long term operations. All Department of Defense and federal agencies must at least comply with the minimum standards set forth in Law, DOD directives, branch of service regulations, and local base regulations. This plan provides local guidelines for applying the FISMA standards using...

Words: 1209 - Pages: 5

Premium Essay

Risk Management

... Rivers October 19, 2013 Project 1 Part 1: Risk Mgmt. Plan 1. Introduction Risk Mgmt. Plan Well for starters the purpose of this risk management for DLIS (Defense Logistics Information Service) plan will be similar to the purpose of any organization would be and that would be how to better protect and secure the company’s IT environment. The importance of this is major since there is all kind of important data that is on and transmitted throughout our networks on a daily basis. DLIS we must ensure that we implement all necessary preventative security measures as well as policies and procedures. We must do this by first of all ensuring that we have really good antivirus software installed on all of our systems and ensuring that it is always up to date. The next thing is extensively configuring our firewalls making it more difficult for our networks to be hacked. Another thing is data encryption which is very vital in securing all important data for our company and clients especially when we are performing data transmission over the networks. The last thing I want to mention which will be part of policies and procedure is implementing various password and logon policies and procedures for security purposes as well. As I stated the purpose of the development of this plan is to reduce the risk of threats and vulnerabilities on our networks. This is vital because threats and vulnerabilities definitely present risk(s) to any important company and client data. We...

Words: 2058 - Pages: 9

Premium Essay

Risk Assessment

...Workman Information Security Management RISK ASSESMENT Information systems have long been at some risk from malicious actions or inadvertent user errors and from natural and man-made disasters. In recent years, systems have become more susceptible to these threats because computers have become more interconnected and, thus, more interdependent and accessible to a larger number of individuals. In addition, the number of individuals with computer skills is increasing, and intrusion, or “hacking,” techniques are becoming more widely known via the Internet and other media. Arisk assessment is not about creating huge amounts of paperwork , but rather about identifying sensible measures to control the risks in your workplace. You are probably already taking steps to protect your employees, but your risk assessment will help you decide whether you  have covered all you need to. Think about how accidents and ill health could happen and concentrate on real risks – those that are most likely and which will cause the most harm. For some risks, other regulations require particular control measures. Your assessment can help you identify where you need to look at certain risks and these particular control measures in more detail. These control measures do not have to be assessed separately but can be considered as part of, or an extension of, your overall risk assessment. Although all elements of the risk management cycle are important, risk assessments provide the foundation...

Words: 3691 - Pages: 15

Premium Essay

Business Impact Analysis and Risk Assessment for Information Resources

... Business Impact Analysis and Risk Assessment for Information Resources General Information & Process Description Introduction The IT Security and Policies area within Information Technology Services is responsible for establishing policies to ensure that Iowa State University has a secure information technology environment. This document defines a process for departments to perform a business impact analysis and risk assessment for their information resources. Once an assessment has been done, the resulting documents should be maintained and regularly reviewed by the department. By using the business impact analysis and risk assessment tool defined in this document, departments have the capability to identify and respond to risks for their systems and information resources. Departments are encouraged to contact the Information Technology Security and Policies area at 4-2588 if they have specific questions or if they would like to arrange a meeting to discuss the process on an individual basis. Business Impact Analysis and Risk Assessment Guaranteed absolute security in today’s information technology environments is not realistic. However, it is important to have a process of identifying resources and associated risks, determining their magnitude, and identifying what safeguards are needed. That process is what we are referring to as business impact analysis and risk assessment. It is the department’s responsibility...

Words: 3038 - Pages: 13

Premium Essay

Security Risk Management

...Security Risk Management Plan Sydney Head Office 175 Sydney Rd Sydney NSW 2000 DOCUMENT VERSION CONTROL Document Name: | Amalgamation of GSC | Version Number: | 0.1 | Date: | 18 July 2016 | Reviewed By: | | Authorised By: | | CHANGE HISTORY Version | Issue Date | Author | Reason for Change | 0.1 | 20.05 | ABCELLO | Original Document | | | | | | | | | | | | | | | | | | | | | | | | | DISTRIBUTION LIST Copy No | Name | Location | 1. | Master | Project Office | 2. | <Project Manager> | | 3. | <Project Sponsor> | | 4. | <Executive Sponsor> | | 5. | | | | | | | | | | | | | | | CONTENTS INTRODUCTION | 4 | | | SCOPE OF WORKS | 4 | DISCLAIMER AND LIMITATIONS | 4 | | | METHODOLOGY | 4 | | | STRATEGIC CONTENT | 4 | STAKEHOLDER LIST | 5 | RISK MANAGEMENT CONTEXT | 5 | THE RISK MANAGEMENT PROCESS | 6 | | | ANALYSIS OF SECURITY RISK | 7 | TREATMENT OPTIONS | 7 | | | SOURCES OF EVENT RISK | 8 | | | RISK IMPLEMENTATION/RISK IDENTIFICATION | 9 | | | RISK ASSESSMENT SUMMARY | 9 | RISK 1 - Operational | 10 | RISK 2 - Strategic | 10 | RISK 3 - Human / Animal Resources | 11 | RISK 4 - Systems | 11 | RISK 5 - Financial | 12 | RISK 6 - Legal | 12 | | | RISK ASSESSMENT TABLES & CONSEQUENCE | 13 -18 | STAKEHOLDERS SIGN OFF | 19 | BIBLIOGRAPHY | 20 | | | INTRODUCTION ...

Words: 3116 - Pages: 13

Premium Essay

Rik Management Audit

...Risk-Based IT Audit Risk-Based Audit Methodology Apply to Organization’s IT Risk Management Kun Tao (Quincy) Cal Poly Pomona Author Note This paper was prepared for GBA 577 Advanced IS Auditing, taught by Professor Manson. March 2014 Page 1 of 26 Risk-Based IT Audit Table of Contents Abstract .......................................................................................................................................... 3 Introduction .................................................................................................................................... 4 Methodology................................................................................................................................... 6 Risk-based auditing methodology: Risk assessment...................................................................... 6 IT Risk Management................................................................................................................... 7 IT Risk Control Framework........................................................................................................ 8 Identifying assets...................................................................................................................... 13 Determining criticality and confidentiality levels......................................................................14 Threat and vulnerability identification................................................................

Words: 6057 - Pages: 25

Premium Essay

System Security Plan

...Name: Professor’s name: Course: Date: Introduction System security plan document describe all the possible system security control measures, their application status and how they are implemented. It can therefore facilitates the implementation of security processes by guiding the individual involved in this process. This document addresses the first version of system security plan (SSP) of automated banking system. The purpose of this report is to describe the controls that are in place or are in the plan, the expected behavior and the responsibilities of the individuals who uses or access the system. The document structures the planning process of implementing the security control procedures to provide adequate security and cost-effective security protection for the system. Management, operational and technical controls have been identified and discussed in details. The different family of system security controls are defined and discussed comprehensively how their implementation status and how they are implemented. DOCUMENT CHANGE CONTROL Version | Release Date | Summary of Changes | Addendum Number | Name | Version 1 | 22/4/2015 | | 1 | System security plan 1 | SYSTEM IDENTIFICATION Automated banking system is a company application system that has been categorized as a primary system according to FIPS 199...

Words: 1354 - Pages: 6

Premium Essay

Assessing Information Technology General Control Risk: an Instructional Case

...1 February 2009 pp. 63–76 Assessing Information Technology General Control Risk: An Instructional Case Carolyn Strand Norman, Mark D. Payne, and Valaria P. Vendrzyk ABSTRACT: Information Technology General Controls (ITGCs), a fundamental category of internal controls, provide an overall foundation for reliance on any information produced by a system. Since the relation between ITGCs and the information produced by an organization’s various application programs is indirect, understanding how ITGCs interact and affect an auditor’s risk assessment is often challenging for students. This case helps students assess overall ITGC risk within an organization’s information systems. Students identify specific strengths and weaknesses within five ITGC areas, provide a risk assessment for each area, and then evaluate an organization’s overall level of ITGC risk within the context of an integrated audit. Keywords: internal controls; general control; ITGC; risk assessment. INTRODUCTION he Sarbanes-Oxley Act (SOX 2002) and the Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 5 (PCAOB 2007) require that the organization’s chief executive officer (CEO) and chief financial officer (CFO) include an assessment of the operating effectiveness of their internal control structure over financial reporting when issuing the annual report. External auditors must review management’s internal control assessment as part of an annual integrated audit of an organization’s internal controls...

Words: 6299 - Pages: 26

Premium Essay

Risk Assessment Paper

...Risk Assessment Paper CMGT 579 September 26, 2011 Kyrstal Hall Every organization is faced with some risk or potential threat that could cause an interruption to the organization’s operations. These risks and threats can come from within or outside of the organization. To prepare for the worst that could happen, organizations must focus their attention on how to assess different types of risks to protect the organization from the possible negative effects to the daily operations. Performing a risk assessment is one of the most important steps in the risk management process (eHow, 2011). A Risk Assessment is periodic assessment of the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the organization. A risk assessment should include a consideration of the major factors in risk management: the value of the system or application, threats, vulnerabilities, and the effectiveness of current or proposed safeguards. Many organizations perform risk assessments to measure the amount of risks that could affect their organization, and identify ways to minimize these risks before a major disaster occurs. Department of Defense Information Systems Agency (DISA) follows guidelines and policies governed by processes by which the organization assesses and manages exposure to risks. In this paper the subject to identify...

Words: 1263 - Pages: 6

Premium Essay

Task 1c Implementation Plan

...field of business continuity for each of the organization’s operational groups. • Mandate, define, develop, and implement the processes necessary to conduct a comprehensive risk assessment necessary to identify and define the potential risks and vulnerabilities to the decentralized information system infrastructure components, as similarly conducted for the Regional Data Centers, with the further requirements as mandated by HIPAA. • Perform risk management processes for the field level entities and their information system infrastructure, in order to prioritize and rank risks for mitigation purposes. • Conduct Application Impact Assessment (AIA) at field level facilities to identify and measure the effect of information system infrastructure resource loss and escalating losses over time in order to provide the business with reliable data upon which to base decisions concerning risk, hazard and vulnerability mitigation, recovery strategies, and continuity planning, as well as to provide application and data criticality analysis as addressed by the HIPAA Security Rule. • Implement mitigation measures sufficient to reduce risks and vulnerabilities, once risks have been identified and budget justification is possible, and as further required to comply with HIPAA Security Rule requirements. • Develop and implement disaster recovery strategies and plans that provide the necessary means to resume information system infrastructure and operations...

Words: 639 - Pages: 3

Premium Essay

Computer

...considered a major component of risk? LAN domain 2. What are the risk management techniques? Avoidance, Transfer, Mitigation, Acceptance, 3. A CBA is an effort to Cost and benefit. 4. True or false: Programming bugs is a technique for mitigating vulnerabilities. 5. True or false: Intrusion detection is a technique for mitigating vulnerabilities. 6. True or false: Incident response is a technique for mitigating vulnerabilities. 7. True or false: Continuous monitoring is a technique for mitigating vulnerabilities. 8. A DoS attack is a threat action affecting which IT domain? Wan Domain Chapter 3 9. True or false: HIPAA applies to Federal agencies. 10. True or false: HIPAA applies to health insurance companies. 11. True or false: HIPAA applies to publicly-traded companies. 12. True or false: HIPAA applies to educational institutions. 13. True or false: FERPA applies to Federal agencies. 14. True or false: FERPA applies to health insurance companies. 15. True or false: FERPA applies to publicly-traded companies. 16. True or false: FERPA applies to educational institutions. 17. Which standard contains eight principles specific to security? 18. Which standard gives detailed descriptions of IT practices and comprehensive checklists, tasks, and procedures that can be tailored by IT organizations to fit their needs? ITIL 19. Which agency enforces the SOX? The U.S. Securities and Exchange Commission  Chapter...

Words: 777 - Pages: 4

Premium Essay

Is3110

...objective of an IT risk assessment? The goal is to define how the risk to the system will be managed, controlled, and monitored. 2. Why is it difficult to conduct a qualitative risk assessment for an IT infrastructure? A qualitative assessment is based on opinion than actual fact, and IT risk assessments need to be based on a quantitative analysis. 3. What was your rationale in assigning “1” risk impact/risk factor value of “critical” for an identified risk, threat, or vulnerability? The critical needs to be mitigated immediately. 4. When you assemble all of the “1” and “2” and “3” risk impact/risk factor values to the identified risks, threats, and vulnerabilities, how did you prioritize the “1”, “2”, and “3” risk elements? What would you say to executive management in regards to your final recommended prioritization? By assessing how important the risk is to the infrastructure and how quickly the risk needs to be mitigated. The one’s and two’s need to be mitigated as soon as possible and the three’s can be mitigated or left alone at managements decision. 5. Identify a risk mitigation solution for each of the following risk factors: a. User downloads and clicks on an unknown e-mail attachment. Restrict user access and set it up that a user has to get authorization for downloads. b. Workstation OS has a known software vulnerability. Patch or update software. c. Need to prevent eavesdropping on WLAN due to customer privacy data access. Increase WLAN security using WPA2 and AES...

Words: 322 - Pages: 2

Premium Essay

Btech Lab System: The Identification Of Threat

...Assessment Phase1: The System Description In this step we will be looking at the whole Btech Lab system as described above analysing the current boundaries of the system, and also looking at the elements that define the system along with the resources that are in the Btech lab. Phase 2: The Identification of Threat This step looks at the current threats that are a risk to the security of the Btech Lab and ways to limit the risk of occurrence. One threat that is identified is the unauthorized users that utilize the Lab, the current security access used is a finger print system (Biometrics system) but students bring their friend and open for them which the increases the risk of theft and damage of equipment. Phase 3: The Vulnerability...

Words: 937 - Pages: 4