Each member of an organization is held accountable for managing risks. Therefore, it is essential to establish the context for a risk framework and risk process.
Prior to beginning this assignment, view “Risk Management and Assessment” within the “Video Playlist: Policy Management for Security Solutions,” located in the Class Resources.
Using your company from Topic 1, establish a risk management framework using industry standards for compliance.
Refer to the “CYB-535 Risk Management Framework Guide,” and create a Risk Management Framework.
Refer to “An Overview of Threat and Risk Assessment,” located in the topic Resources. In 750–1000 words, discuss various risk assessment models, methodologies, and processes that can be used to perform a risk assessment of a particular system. Make sure to:
- Describe how risk relates to a system security policy.
- Describe various risk analysis methodologies.
- Considering your framework from Part 1, explain why it is important to evaluate and categorize risk a) with respect to technology; b) with respect to individuals, and c) in the enterprise.
- Compare the advantages and disadvantages of various risk assessment methodologies.
- Explain how one would select the optimal methodology based on needs, advantages, and disadvantages.
Then, submit both Parts 1 and 2.
Prepare this assignment according to the guidelines found in the APA Style Guide, located in the Student Success Center.
This assignment uses a rubric. Please review the rubric prior to beginning the assignment to become familiar with the expectations for successful completion.
You are required to submit this assignment to LopesWrite. A link to the LopesWrite technical support articles is located in Class Resources if you need assistance.
This benchmark assignment assesses the following programmatic competencies and professional standards:
MS Information Assurance and Cybersecurity
2.1 Establish a risk management framework using industry standards for compliance
1.5 Establish a risk management framework using industry standards for compliance.
Assessment Description Each member of an organization is held accountable for managing risks. Therefore, it is essential to establish the context for a risk framework and risk process. Prior to beginn
CYB-535 Risk Management Framework Guide Directions: Selecting a model to use in designing your company’s risk management framework may be somewhat intimidating. A recommended approach is to begin by studying the models presented in Topic 4, including NIST, ISO, FAIR, OCTAVE, etc. Then, identify what each offers to the envisioned process. Once you understand what each model offers, you can adapt one or more models to fit your organization’s needs. Based upon the selected model(s), address all of the criteria below. Part 1: Communities of Interest A community of interest (CoI) is a group of people who operate to address security and privacy needs within the mission of the business or organization. This community can include InfoSec, IT, management, or users. Each member is held accountable for managing risks, meaning each member has a particular strategic role to play that is directly linked to managing risks of information assets. Identify and explain the strategic roles each community of interest must play in managing risks to your company’s information assets. Table 1. Community of Interest Name Role(s) Responsibilities Part 2: Risk Management Plan Establish the Context of Risk framework and Risk Process Refer to the NIST’s “Guide for Applying the Risk Management Framework to Federal Information Systems,” or “Guide for conducting Risk Assessment,” located in the topic Resources. Then, present/map the steps in which you will: Identify the purpose of the risk assessment. Identify the scope of the risk assessment. Identify the assumptions and constraints associated with the risk assessment. Identify the sources of information to be used as inputs to the risk assessment. Risk Identification Use the table to perform the following: Identify your company’s information assets. Classify and categorize your assets into meaningful groups. Prioritize your assets by overall importance. Table 2. Assets Classification Information Assets Classification: Confidential, Private, Public Impact on Profitability: Critical, High, Medium Impact on Public Image: Critical, High, Medium Impact on Revenue: Critical, High, Medium Weighted Score / 100 Ex: Web Server # 1 Public Critical High Critical 95 Threat Assessment Use the table to perform the following: Identify/categorize a minimum of 10 threats and their possible vulnerabilities. Determine which represents danger to your organization’s assets. Determine which threats are internal and which are external. Determine which threat has the highest probability of success/occurrence. Determine which threat could result in the largest loss if successful. Table 3. Threat Vulnerability Assessment Threat Possible Vulnerabilities Internal or External Probability of Occurrence / Success Reputation Loss if Successful Financial Loss if Successful Ex: Information Extortion Internal 79% 56% 80% Part 3: Risk Analysis During this process, assign a risk rating/score to each vulnerability defined in Part 2. Use the table to perform the following: Asset: List each vulnerable asset. Vulnerability: List each possible vulnerability. Likelihood: Indicate the likelihood of the realization of the vulnerability by an attacker (0 to 5). Impact: Indicate the impact of this vulnerability to your company (0 to 5). Risk Rating Factor: Indicate the result of multiplying asset impact and its likelihood (0 to 25). Table 4. Asset Vulnerability Assessment Asset Vulnerability Likelihood Impact Risk Rating Factor Ex: Email Server Email disruption due to software failure Part 4: Risk Evaluation / Report Findings Based on the results of the risk analysis and threat assessments: Which risks are acceptable to your company? What can they “live with”? Which risks are unacceptable to your company? © 2021. Grand Canyon University. All Rights Reserved.