Acuity Risk Management LLP - Case Study Example

Risk assessment of the Question 1. Three information assets of an organization to evaluate for risk management Data for question 1: Switch L47 connects a network to the internet. It has two vulnerabilities: (1) susceptibility to hardware failure, with a likelihood of 0.2, and (2) susceptibility to an SNMP buffer overflow attack, with a likelihood of 0.1. This switch has an impact rating of 90 and has no current controls in place. There is a 75 percent certainty of the assumptions and data. Server WebSrv6 hosts a company Web site and performs e-commerce transactions. It has Web server software that is vulnerable to attack via invalid Unicode values. The likelihood of such an attack is estimated at 0.1. The server has been assigned an impact value of 100, and a control has been implemented that reduces the impact of the vulnerability by 75 percent. There is an 80 percent certainty of the assumptions and data. Operator use the MGMT45 control console to monitor operations is the server room. It has no password and is susceptible to unlogged misuse by the operator. Estimates show the likelihood of misuse is 0.1. There are no controls in place on this asset, which has an impact rating of 5. There is a 90 percent certainty of the assumptions and data. From the above data, the three assets for the company are extremely valuable. The following is how the organization will approach in evaluation and additional of more controls. Switch L47 has 2 vulnerability. Vulnerability 1 Vulnerability 1 22.5 =(90*0.2)-((90*0.2)*0.0)+((90*0.2)*0.25) 22.5=18+0+ 4.5 =22.5 Vulnerability 2 11.25 =(90*0.1)-((90*0.1)*0.0)+((90*0.1)*0.25) =9+0+ 2.25 11.25 11.25 +22.5 Switch L47 connects a network to the internet should be evaluated first, and additional controls put in place to secure the internal network from external attacks. This asset is extremely significant since there are many attackers constantly trying to access the company information. Therefore, securing switch L47 is important. It has percentage impact (90%) with high uncertainty of 25%. There is no any control in place to secure this asset hence it should be given priority. Server WebSrv6 = (100*0.1)- ((100*0.1)*0.1)+((100*0.75)*0.2) 10-1+15 24 Hosts should be the second one to be evaluated and additional measures put in place. It has high impact rate and 20% of uncertainty rate. It is second to be evaluated although it has 100 impact value because it has a control in place already. The MGMT45 control console to should be the last one to be evaluated since it has low impact value of 5 with a low rate of uncertainty (10%). It can be evaluated and secured last. There is only one source of risk which the operator hence it is easy to evaluate and provide appropriate measures. Question 2 automated risk assessment tools AgenaRIsk This is a very essential decision support tool with high capability to analyze and help users in making decisions. It was developed by Agena Limited. It is can run on Windows and UNIX platforms. It enables users to model the prediction estimation and decisions about situations using complex algorithms. It costs £2,000 as the normal price. This software has a user graphical interface where the analysis model is a combination of several models such as Bayesian networks, simulation and spreadsheet-like analysis. AgenaRIsk is a vital tool in project risk analysis, testing hypothesis, carrying out statistical analysis, controlling the quality of a system and in developing expert systems. This tool is only applicable to Boolean nodes and ignores AgRisk This software was developed by Ohio State University. The risk automated tool was aimed at helping farmers in evaluating risk factors during harvesting to determine the risk revenue. It is windows based software where Corn, wheat, and sorghum use forward, futures and crop insurance options as input factors. Acertus™ This is a web-based risk assessment and mitigation software that enables clients in establishment, measurement, management and mitigation of risks. Organizations are not only able to control risk using the automated tool, but they can also assess security and comply with regulatory issues. It was developed by Securac Inc. Acuity Risk Management LLP This is a risk assessment and mitigation software that can be the free version downloaded from the company’s site. It can be customized by an organization to meet its policies in risk assessment, control performance and business management. Enterprise versions of the software is not free they are purchased. Question 3 threats to information According to this chapter on ‘risk management’ (Michael & Herbert, 2011) Software attacks- hacking and crackers are some of the software attackers who look for loopholes in the software. These instances have not been discussed before in the chapter. Sabotage or vandalism- sabotage can also result from misrepresentation of information by competitors on information systems. Technical failure- power supply problems are also a threat where information systems are exposed to power surge and electrical faults. Question 4 data classification scheme presented According to the chapter data is classified in three schemes a. Confidential- this is the most sensitive information that should be well guarded within the organization. b. Internal- this is type of information which does not meet the criteria for sensitive information. They are used internally in an organization. c. External- this is information that an organization can share out since it is approved by management. In my personal computers, confidential information is the type of data that concern me such as my financial statements, education certificates, my medical records and health status information. Internal information in my personal computer can be like my video files, music files that people can access but for personal use only. External data-this are the articles and other files that I would like to share with others publicly. Photographs that I want to share out on social media are external files. Question 5 risk assessment on the information contained in your home Vulnerability Asset Impact Vulnerability likelihood Risk-rating factor Theft 100 0.1 10 Software attack 90 0.1 9 Forces of nature 100 0.2 20 Trespass 55 0.3 16.5 Sabotage 55 0.01 0.55 Question 6 National Association of Corporate National Association of Corporate Directors (NACD) is a nonprofit organization which is composed of the board of directors from different businesses. It is leadership of the board that provide knowledge and clear guidelines on how to deal with ever changing business issues and dynamic business environment. The mission of the organization is “is to advance exemplary board leadership -for directors, by directors. We deliver the knowledge and insight that board members need to confidently navigate complex business challenges and enhance shareowner value. We amplify the collective voice of directors in setting a substantive policy agenda”(www.nacdonline.org). According to NACD, information security is legal issues and a liability. Protection of the board of directors and the stakeholders is a primary role done by implementation of the existing laws concerning information security. This role is played by the members of the board of directors. Information security is a continuous evaluation process which response accurate responses. Works Cited Michael, W. E., & Herbert, M. J. (2011). Principles of Information security 4th edition . Course Technology, Inc. Read More