Risk Assessment Report

· Conduct a risk assessment on the network in Figure 1 of the attached document, based on the ISO 27005 standard.

· Write a detailed risk assessment report (in the required structure as detailed in the attached document). 

Don't use plagiarized sources. Get Your Custom Essay on
Risk Assessment Report
Just from $13/Page
Order Essay

Risk Assessment Report

ASSESSMENT SCENARIO

The XYZCLOUD scenario (note: this scenario is completely fictitious).

XYZCLOUD is a new cloud service company in your city, and its current IT infrastructure is depicted in Figure 1. The company provides (i) secure storage and (ii) virtual server services for both individual customers and organisations.

Figure 1. The IT infrastructure of XYZCLOUD

The IT infrastructure comprising

· Employees computers (Human Resource and Admin PCs) running Windows XP SP2.

· A machine running SQL server, which stores all personal information about customers and employees (Running MySQL).

· A DMZ (Demilitarized Zone) containing a mail server (Microsoft Exchange Server version 12) and stores all emails and attached files, and a web server (IIS 5[footnoteRef:1]) hosting the websites of the company. Note that the most recent version of Microsoft Exchange Server is version 20. [1: Internet Information Services (IIS, formerly Internet Information Server) is an extensible web server created by Microsoft.]

· A Windows-based authentication server for authenticating the customers and employees.

· A firewall with the firmware version 1.2 to protect the internal network from the outside world (internet). Note that the recent firmware version of the firewall is version 2.0.

· The servers hosting the documents of customers (cloud storage services).

· The servers hosting the virtual machines for providing cloud computing services.

· All the servers and PCs are connected to switches and routers so that they can communicate with each other. The router serves as a gateway between the internal network and the internet. Note that the recent firmware version of the switches and routers is version 1.2.

After some attack incidents and financial loss, the company realized that it should carry out a risk assessment and improve its IT infrastructure with security controls.

ASSESSMENT BRIEF

In this assignment you have to:

· Conduct a risk assessment on the network in Figure 1, based on the ISO 27005 standard.

· Write a detailed risk assessment report (see Section 4 for the required structure).

FLEXIBILITY OF THE SOFTWARE/HARDWARE/FIRMWARE PARAMETERS

As you can see, there are no specific hardware and software details given in Figure 1. To avoid working in the entirely same network (and hence copying from each other), before doing the risk assessment, you have to specify the system parameters and the system boundaries, including the used operating systems, hardware, software/applications and firmware. Ideally, each of you will work with different sets of system parameters/scope that you chose or specified.

SUBMISSION DETAILS

The 2000-words (excluding the entire bibliography list) risk assessment report should be submitted as a x. All references and in-text citations in the report should follow the Harvard style of referencing.

REPORT STRUCTURE

To meet the requirements your report must have a professional look. In order to help you in this regard the following structure is provided as a guideline. The report must contain the following main sections, however, you are allowed to add subsections as you find reasonable.

1. Introduction

Here you will specify the risk assessment method that you use, discuss the advantages of this risk assessment method. Finally, highlight the certain tasks that you will perform during the risk assessment on the given system.

2. Risk Assessment

· This section contains the main part (result) of the report, namely, the whole risk assessment process made on the system in Figure 1, besides your chosen system parameters. The section can include several sub-sections:

· Owner specification,

· Assets (primary and secondary). You should explain briefly why the assets are primary or secondary. You can give a collective explanation for a group of assets instead of explaining for each asset.

· One threat for each asset.

· One vulnerability for each asset. The vulnerabilities have to be taken from one of the online vulnerability databases (e.g. NVD), and have to be given with the official CVE- number.

· Likelihood level computation, using Boston gird

· Impact table specification

· Risk identification with the risk level, using risk matrix (Boston grid).

· At most 10 risks should be given.

3. Summary and Recommendations

In this section you summarize the main findings and write a non-technical recommendation (executive summary) for the management/director board, summarizing why they should invest in security and follow the ISO 27001 standards.

1.INTRODUCTION

· What you will do in this report

· Risk management and risk assessment standards

· Talk more about ISO standards why they are suitable for this case (advantages).

2. System parameters, table.

STAFF PC

Windows

7, 8, etc.

Servers

Linux (Ubuntu, etc.)

Windows

3. Risk assessment process

a. Asset classification (primary and supporting) + Asset ID

b. In-scope/out-of-scope.

c. Define/Identify the Threat sources + Threat source IDs. (intentional/unintentional/natural)

d. Attractiveness for the threat sources (qualitative, L, M, H,)

e. Vulnerability identification. NVD database (which includes the level of vulnerability, qualitative, L, M, H)

f. Calculate risk (based on the formula, Likelihood x Impact = Risk)

i. Calculate Likelihood = Threat attractiveness x Vulnerability

ii. Define the impact levels (qualitative, L, M, H) -> explain the meaning of each level in this context/scenario.

4. Non-technical/Executive summary

· Main findings

· Risk treatment recommendation (pick some options from the 5)

References

Information Security Management

Submitted to :

Submitted by:

Table of Contents
INTRODUCTION 3

RISK ASSESSMENT

4

Owner Specification:

5

Assets:

6

Risk Assessment Process:

6
Vulnerabilities 7

Risk Identification using Boston Grid

9
CONCLUSION:

1

0

REFRENCES:

11

INTRODUCTION

Cloud services is as facilities accessible via an isolated cloud computing server slightly than an on the spot server. The mountable resolution completed by a third party and provide users with access to computing services such as networking via cyberspace. XYZCLOUD is an big organization of cloud facilities in our town. That organization gives a protected storage and simulated server facilities to both specific clients and company. And its present structure shows that lots of data can be stored in cloud storage and Mysql Database and admin user and human resource user can handle the data with appropriate manner . firewall or router can be protected with external malware and virus and provides security. In database have stored all personal information about clients and employee . and most popular mail server Microsoft exchange server can be used to exchanging their data and huge information. To complete this work, paper taken of ISO 27005 standard which are based on the network.

We have use Generic Risk Assignment in which lot of explore and produce a proper document. And select some of responsibilities you regularly do and write a general assessment of that task. In this risk assignment task we can follow 5 steps , firstly we can find malware and spot and find how much harmful and evaluated the risks and precautions on malware and conclusions and contrivance them. And last analysis on risk assessment and update and effectively.

Figure : IT structure of XYZCLOUD

RISK ASSESSMENT

Not any one can promise 100% on safety of data structures. Cloud Computing Prototypical Has Convinced different features and usages methods that have higher some latest dangers and the need to check and redefine many well-defined pas’ dangers according to the prototypical (Jøsang, et-al, 2007). A risk assessment is an inspection of given task that you assume at work, that could possibly cause harm to people. Risk assignment may be several types are. (Moyo, 2005) (Moteff, et-al, 2005)

· Identifying the potential threats:

Workroom Threats can arise in different methods, such as carnal, mental, biological, and organic, to name just a few. Threats can be identified by manipulation a number of procedures, though, one of the most common remains walking around the workroom to see immediate any processes, happenings or substances that may injure or cause infect to member of staff, Human resource (Moteff, et-al, 2005). If you can work in similar environment every day, then you may miss some threads. IEC27005 is an Ordinary devoted entirely to data security risk management and it is very caring if you want to get a profounder vision into information safety risk assessment then behavior, therefore, the recommend looking at:

1. Non routine processes.

2. Unwanted files detect.

3. Irregular activities. (Moteff, et-al, 2005)

· Choose who might be damaged and in what way:

Identify who might be at risk spreads to full and freelance member of staff, visitors, customers, and other members of the public at workshop. You would also consider people that may not be in the office all time or at changed time. Most of malware can harm our admin and human resource pc’s and most of can harm our database and most of can harm cloud storage. For each threat we will need to realize who may be damaged, this of course, will help you to identify protective actions for regulatory a given task (Bahtit, 2013).

· Estimate the risk and choose on control actions.

Once we’ve known thread, the resulting rational step it to totally remove the related risks, though, where this is not possible, then convinced control measures would be put in place. For example, if a member of staff is can detect thread that time, they should to protect our system with this malware with the help of antivirus and other technical experts. This is first action can take by workers and protect whole system form system failure or infected by malware (Moyo, 2005).

· Examine Substitute resolutions:

Firstly, we don’t accept the threat it means conclusive that about risks are get in doing corporate and that the paybacks of an action offset the possible threat. And avoiding a risk because our organization has not been the part of this type of threat or action (Agrawal, 2017). Risk regulator includes inhibition or movement, which is falling the effect it resolves have if it does occur. Risk transmits include giving responsibility for any harmful results to another organization, as case when a company takes insurance (Agrawal, 2017).

· Choose which resolution to custom and implement the situation:

Firstly, all practical possible resolutions are recorded, choice the one that is most expected to reach desired results. And set up authorized procedure to implement the resolution logically and dependably across the association and instigate employees each step of the system (Agrawal, 2017) (Castro, et-al, 2011).

· Display results:

Thread is most harmful to our system, risk management not a scheme that can be “completed” and elapsed about. The association, its situation, and its dangers are continually changing so the procedure would be constantly reentered (Agrawal, 2017) (Castro, et-al, 2011). That’s why we can use firewall and router (firmware v1.2) because our bulky data can store in database and cloud storage and manage all details given by other organization, customers, employees and clients. Work of firewall can’t be finished life time because of security. so please avoiding the external threat and malware as possible (Castro, et-al, 2011).

Owner Specification:

The name of owner organization is XYZCLOUD and fresh starts in Cloud Service Company in our Town. This organization have provided protected storage on cloud storage. and all information and database can handle by superuser / Admin and human resource they will check and update our database. For security they can protected our data with the help of Firewall or Firmware. Employee’s systems have a windows XP SP2 (Wahlgren, et-al, 2013). In database all information are stored of employee and customers. They use Exchange Server by Microsoft for transmitting the data. This installed window can also an authentication server for identify the employee and clients. complete server is linked to switch and routers so that they can communicate with individually additional. Router assists as entrance among internal system and the cyberspace (Wahlgren, et-al, 2013) (Faris, et-al, 2014).

Assets:

Here several assets inside an association that consume value. Risk manager, in order to perform their duties correctly, need to identify those assets that are critical to the association. The identification of various assets to an association or people is the beginning step in the risk investigation process (Faris, et-al, 2014). From assets we can choose secondary assets to use and required protection from threats on system. A threat cause can be an agent with hateful committed, an agent vulnerable to non-intentional fault, or a natural spectacle (Faris, et-al, 2014) (Medromi, et-al, 2014). A Vulnerability is a faintness that might be do exercises or oppressed to cause adverse occasion. A threat is then characterized as a likely unfavorable occasion or activity brought about by a danger source that effectively practices a specific weakness (Medromi, et-al, 2014). The probability of the danger to happen increments with the strength or inspiration of the threat source, just as with the level of weakness. related with every danger is an effect extent which communicates the immediate or roundabout misfortune coming about because of the threat event. The danger of a danger is inferred as the mix of the threat’s probability and effect extent (Medromi, et-al, 2014).

Risk Assessment Process:

· System Description.

· Threat proof of identity

· Vulnerability credentials.

· Analysis of current security pedals

· Likelihood fortitude

· Impact analysis

· Risk fortitude

· Reference of latest controls.

· Result documents (Wirtz, et-al, 2018)

We accept that weakness agendas utilized during stage 3 generally have excluded the different types of helpless security ease of use that are basics in security frameworks today (Wirtz, et-al, 2018). Thus, numerous important weakness dangers, are regularly being ignored. All together for reasonable dangers, coming about because of helpless convenience, to be caught by a danger appraisal measure it is important to expressly consider helpless security ease of use as a weakness. significant agendas should that be refreshed to incorporate such weaknesses (Wirtz, et-al, 2018).

ISO 27005

The main aim of ISO 27005 standard based on given network is to give guidelines for ISRM (Information security risk management). This standard paper supports the specified concept of ISO 27001 and also provide the satisfactory design and implementation information security. IT also define number of objectives of information security control and provide best practice controls of security (Felipe, et-al, 2019) (Omerovic, et-al, 2019).

Action based on Security Usability Vulnerabilities

SUV-A1

Sometimes users are not getting which actions for security needed for them.

SUV-A2

User don’t have knowledge about to make correct action for security.

SUV-A3

The physical and mental pressure is not tolerable for taking security action.

SUV-A4

The physical and mental pressure to making again same security actions for any project set of instances are occur which is not tolerable. (Felipe, et-al, 2019).

Conclusion based on Security Usability Vulnerabilities

SUV-C1

User don’t get the collusion for security which is needed for taking informed action.

SUV-C2

The system doesn’t provide sufficient information of security to users.

SUV-C3

The mental pressure of security conclusion which is not tolerable for users.

SUV-C4

The mental pressure to use or understand the security conclusion for any project repeated time than it create set of instances which is not tolerable.. (Felipe, et-al, 2019).

Vulnerabilities

Those Vulnerabilities take to be occupied system single of the online vulnerability databases are: (Derock, et-al, 2010)

CVE Number

Description

Published

CVE-2021-21361

The ‘com. bmuschko: gradle-vagrant-plugin’ Gradle plugin holds as information revelation vulnerability owed to the logging of the scheme environment variable quantity.

March 08,2021

CVE-2021-21331

The DatadogAPI is performed on a UNIX-like system with several users. The api is used to download a file comprising sensitive information. This sensitive information’s showing locally to additional users.

March 03,2021

CVE-2021-21315

This scheme information is an opensource collection of functions to repossess thorough hardware, system and OS data

February 16,2021

CVE-2021-2506

The Vulnerability have been Informed to disturb previous versions of QTS. If oppressed, this Unsuitable access control vulnerability could allow attackers to compromise the security of the software by gaining human rights, or reading penetrating information (Derock, et-al, 2010).

February 03, 2021

Risk Identification using Boston Grid

All Risk identify with different levels, using Boston grid are:

· Red Cell shows the all risks for a Risk Agent.

· Green Cell shows the which risk is for Risk Motivations.

· Sky-Blue Cell shows no relation between Risk Motivations and risk.

CONCLUSION:

Cycloid can provide such services like storing our data in database in cloud and also provide security and protection. The significant factors in any cooperation such as arena of business, quantitative and monetary authorization is completely done by the Data security. As the hallmark remains the customer’s satisfaction, data security provides every facility to make customers feel the satisfaction in their data storage, accessing of information and confidential data as an instance. Disapproval is a major issue showed by several data security associations by several individuals as well as the team programmers. To lessen the risk factor of leakage of data, a compelling data security access the best framework coordinated by executive criteria of working. The major work organization should do is to resolve the problems in the feature of data security to gain the trust of customers. There ought to be a clear arrangement for data security to keep the data under complete privacy. Therefore, data security is a significant way to secure every kind of data and to be under privacy and it is also a great help for every institution, client and individuals. The trending associations depend on the security, privacy and data configuration of the application. The data utilization and innovation for every step increases the productivity of the business and hence develop the organization. It increases the risk factor to make understanding lack in an organization about data security, usage of portable force of labors. There should be ample knowledge on data crew lacking and security issues regarding the same. Implementation of the applications and interactions of the clients for the information of data security in a wide arena due to adequate manipulation and implementation of the data security. There should be a guarantee by the organization that data security is not leading to any particular leakage problem to anyone and hence is not any severe mechanical issue. The best theory of the data security and the proposal is to attain a great significance of data security for every client to make business a level up with technological advancement.

REFRENCES:

· Jøsang, A., AlFayyadh, B., Grandison, T., AlZomai, M. and McNamara, J., 2007, December. Security usability principles for vulnerability analysis and risk assessment. In Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007) (pp. 269-278). IEEE.

· Moyo, M., Abdullah, H. and Nienaber, R.C., 2013. Information security risk management in small-scale organisations: A case study of secondary schools computerised information systems(pp. 1-6). IEEE.

· Moteff, J., 2005, February. Risk management and critical infrastructure protection: Assessing, integrating, and managing threats, vulnerabilities and consequences. Library of Congress Washington DC Congressional Research Service.

· Bahtit, H. and Regragui, B., 2013. Risk Management for ISO27005 Decision Support. International Journal of Innovative Research in Science, Engineering and Technology.

· Agrawal, V., 2017, June. A framework for the information classification in ISO 27005 Standard. In 2017 IEEE 4th International Conference on Cyber Security and Cloud Computing (CSCloud) (pp. 264-269). IEEE.

· Castro, A.R. and Bayona, Z.O., 2011. Gestión de Riesgos tecnológicos basada en ISO 31000 e ISO 27005 y su aporte a la continuidad de negocios. Ingeniería, 16(2), pp.56-66.

· Wahlgren, G., Bencherifa, K. and Kowalski, S., 2013. A framework for selecting IT security risk management methods based on ISO27005. In MIC-CPE 2013: 6th International Conference on Communications, Propagation and Electronics, Kenitra, Morocco, 1-3 Februari, 2013. Academy Publisher.

· Faris, S., Medromi, H., El Hasnaoui, S., Iguer, H. and Sayouti, A., 2014. Toward an effective information security risk management of universities’ information systems using multi agent systems, ITIL, ISO 27002, ISO 27005. Editorial Preface, 5(6).

· Medromi, H. and Sayouti, A., 2014. An Integrated use of ISO27005, Mehari and Multi-Agents System in order to Design a Comprehensive Information Security Risk Management Tool.

· Wirtz, R., Heisel, M., Borchert, A., Meis, R., Omerovic, A. and Stølen, K., 2018, March. Risk-based elicitation of security requirements according to the ISO 27005 standard. In International Conference on Evaluation of Novel Approaches to Software Engineering (pp. 71-97). Springer, Cham.

· Felipe, M.S.I., Andrés, L.V.S. and Raúl, B.G., 2019, October. Risks Found in Electronic Payment Cards on Integrated Public Transport System Applying the ISO 27005 Standard. Case Study Sitp DC Colombia. In 2019 Congreso Internacional de Innovación y Tendencias en Ingenieria (CONIITI) (pp. 1-6). IEEE.

· Derock, A., Hebrard, P. and Vallée, F., 2010, May. Convergence of the latest standards addressing safety and security for information technology. In ERTS2 2010, Embedded Real Time Software & Systems.

· Omerovic, A. and Stølen, K., 2019, June. Risk-Based Elicitation of Security Requirements According to the ISO 27005 Standard. In Evaluation of Novel Approaches to Software Engineering: 13th International Conference, ENASE 2018, Funchal, Madeira, Portugal, March 23–24, 2018, Revised Selected Papers (Vol. 1023, p. 71). Springer.

1

What Will You Get?

We provide professional writing services to help you score straight A’s by submitting custom written assignments that mirror your guidelines.

Premium Quality

Get result-oriented writing and never worry about grades anymore. We follow the highest quality standards to make sure that you get perfect assignments.

Experienced Writers

Our writers have experience in dealing with papers of every educational level. You can surely rely on the expertise of our qualified professionals.

On-Time Delivery

Your deadline is our threshold for success and we take it very seriously. We make sure you receive your papers before your predefined time.

24/7 Customer Support

Someone from our customer support team is always here to respond to your questions. So, hit us up if you have got any ambiguity or concern.

Complete Confidentiality

Sit back and relax while we help you out with writing your papers. We have an ultimate policy for keeping your personal and order-related details a secret.

Authentic Sources

We assure you that your document will be thoroughly checked for plagiarism and grammatical errors as we use highly authentic and licit sources.

Moneyback Guarantee

Still reluctant about placing an order? Our 100% Moneyback Guarantee backs you up on rare occasions where you aren’t satisfied with the writing.

Order Tracking

You don’t have to wait for an update for hours; you can track the progress of your order any time you want. We share the status after each step.

image

Areas of Expertise

Although you can leverage our expertise for any writing task, we have a knack for creating flawless papers for the following document types.

Areas of Expertise

Although you can leverage our expertise for any writing task, we have a knack for creating flawless papers for the following document types.

image

Trusted Partner of 9650+ Students for Writing

From brainstorming your paper's outline to perfecting its grammar, we perform every step carefully to make your paper worthy of A grade.

Preferred Writer

Hire your preferred writer anytime. Simply specify if you want your preferred expert to write your paper and we’ll make that happen.

Grammar Check Report

Get an elaborate and authentic grammar check report with your work to have the grammar goodness sealed in your document.

One Page Summary

You can purchase this feature if you want our writers to sum up your paper in the form of a concise and well-articulated summary.

Plagiarism Report

You don’t have to worry about plagiarism anymore. Get a plagiarism report to certify the uniqueness of your work.

Free Features $66FREE

  • Most Qualified Writer $10FREE
  • Plagiarism Scan Report $10FREE
  • Unlimited Revisions $08FREE
  • Paper Formatting $05FREE
  • Cover Page $05FREE
  • Referencing & Bibliography $10FREE
  • Dedicated User Area $08FREE
  • 24/7 Order Tracking $05FREE
  • Periodic Email Alerts $05FREE
image

Our Services

Join us for the best experience while seeking writing assistance in your college life. A good grade is all you need to boost up your academic excellence and we are all about it.

  • On-time Delivery
  • 24/7 Order Tracking
  • Access to Authentic Sources
Academic Writing

We create perfect papers according to the guidelines.

Professional Editing

We seamlessly edit out errors from your papers.

Thorough Proofreading

We thoroughly read your final draft to identify errors.

image

Delegate Your Challenging Writing Tasks to Experienced Professionals

Work with ultimate peace of mind because we ensure that your academic work is our responsibility and your grades are a top concern for us!

Check Out Our Sample Work

Dedication. Quality. Commitment. Punctuality

Categories
All samples
Essay (any type)
Essay (any type)
The Value of a Nursing Degree
Undergrad. (yrs 3-4)
Nursing
2
View this sample

It May Not Be Much, but It’s Honest Work!

Here is what we have achieved so far. These numbers are evidence that we go the extra mile to make your college journey successful.

0+

Happy Clients

0+

Words Written This Week

0+

Ongoing Orders

0%

Customer Satisfaction Rate
image

Process as Fine as Brewed Coffee

We have the most intuitive and minimalistic process so that you can easily place an order. Just follow a few steps to unlock success.

See How We Helped 9000+ Students Achieve Success

image

We Analyze Your Problem and Offer Customized Writing

We understand your guidelines first before delivering any writing service. You can discuss your writing needs and we will have them evaluated by our dedicated team.

  • Clear elicitation of your requirements.
  • Customized writing as per your needs.

We Mirror Your Guidelines to Deliver Quality Services

We write your papers in a standardized way. We complete your work in such a way that it turns out to be a perfect description of your guidelines.

  • Proactive analysis of your writing.
  • Active communication to understand requirements.
image
image

We Handle Your Writing Tasks to Ensure Excellent Grades

We promise you excellent grades and academic excellence that you always longed for. Our writers stay in touch with you via email.

  • Thorough research and analysis for every order.
  • Deliverance of reliable writing service to improve your grades.
Place an Order Start Chat Now
image

Order your essay today and save 30% with the discount code Happy