· Conduct a risk assessment on the network in Figure 1 of the attached document, based on the ISO 27005 standard.
· Write a detailed risk assessment report (in the required structure as detailed in the attached document).
Don't use plagiarized sources. Get Your Custom Essay on
Risk Assessment Report
Just from $13/Page
Risk Assessment Report
ASSESSMENT SCENARIO
The XYZCLOUD scenario (note: this scenario is completely fictitious).
XYZCLOUD is a new cloud service company in your city, and its current IT infrastructure is depicted in Figure 1. The company provides (i) secure storage and (ii) virtual server services for both individual customers and organisations.
Figure 1. The IT infrastructure of XYZCLOUD
The IT infrastructure comprising
· Employees computers (Human Resource and Admin PCs) running Windows XP SP2.
· A machine running SQL server, which stores all personal information about customers and employees (Running MySQL).
· A DMZ (Demilitarized Zone) containing a mail server (Microsoft Exchange Server version 12) and stores all emails and attached files, and a web server (IIS 5[footnoteRef:1]) hosting the websites of the company. Note that the most recent version of Microsoft Exchange Server is version 20. [1: Internet Information Services (IIS, formerly Internet Information Server) is an extensible web server created by Microsoft.]
· A Windows-based authentication server for authenticating the customers and employees.
· A firewall with the firmware version 1.2 to protect the internal network from the outside world (internet). Note that the recent firmware version of the firewall is version 2.0.
· The servers hosting the documents of customers (cloud storage services).
· The servers hosting the virtual machines for providing cloud computing services.
· All the servers and PCs are connected to switches and routers so that they can communicate with each other. The router serves as a gateway between the internal network and the internet. Note that the recent firmware version of the switches and routers is version 1.2.
After some attack incidents and financial loss, the company realized that it should carry out a risk assessment and improve its IT infrastructure with security controls.
ASSESSMENT BRIEF
In this assignment you have to:
· Conduct a risk assessment on the network in Figure 1, based on the ISO 27005 standard.
· Write a detailed risk assessment report (see Section 4 for the required structure).
FLEXIBILITY OF THE SOFTWARE/HARDWARE/FIRMWARE PARAMETERS
As you can see, there are no specific hardware and software details given in Figure 1. To avoid working in the entirely same network (and hence copying from each other), before doing the risk assessment, you have to specify the system parameters and the system boundaries, including the used operating systems, hardware, software/applications and firmware. Ideally, each of you will work with different sets of system parameters/scope that you chose or specified.
SUBMISSION DETAILS
The 2000-words (excluding the entire bibliography list) risk assessment report should be submitted as a x. All references and in-text citations in the report should follow the Harvard style of referencing.
REPORT STRUCTURE
To meet the requirements your report must have a professional look. In order to help you in this regard the following structure is provided as a guideline. The report must contain the following main sections, however, you are allowed to add subsections as you find reasonable.
1. Introduction
Here you will specify the risk assessment method that you use, discuss the advantages of this risk assessment method. Finally, highlight the certain tasks that you will perform during the risk assessment on the given system.
2. Risk Assessment
· This section contains the main part (result) of the report, namely, the whole risk assessment process made on the system in Figure 1, besides your chosen system parameters. The section can include several sub-sections:
· Owner specification,
· Assets (primary and secondary). You should explain briefly why the assets are primary or secondary. You can give a collective explanation for a group of assets instead of explaining for each asset.
· One threat for each asset.
· One vulnerability for each asset. The vulnerabilities have to be taken from one of the online vulnerability databases (e.g. NVD), and have to be given with the official CVE- number.
· Likelihood level computation, using Boston gird
· Impact table specification
· Risk identification with the risk level, using risk matrix (Boston grid).
· At most 10 risks should be given.
3. Summary and Recommendations
In this section you summarize the main findings and write a non-technical recommendation (executive summary) for the management/director board, summarizing why they should invest in security and follow the ISO 27001 standards.
1.INTRODUCTION
· What you will do in this report
· Risk management and risk assessment standards
· Talk more about ISO standards why they are suitable for this case (advantages).
2. System parameters, table.
|
STAFF PC
|
Windows
7, 8, etc.
|
|
Servers
|
Linux (Ubuntu, etc.)
Windows
|
3. Risk assessment process
a. Asset classification (primary and supporting) + Asset ID
b. In-scope/out-of-scope.
c. Define/Identify the Threat sources + Threat source IDs. (intentional/unintentional/natural)
d. Attractiveness for the threat sources (qualitative, L, M, H,)
e. Vulnerability identification. NVD database (which includes the level of vulnerability, qualitative, L, M, H)
f. Calculate risk (based on the formula, Likelihood x Impact = Risk)
i. Calculate Likelihood = Threat attractiveness x Vulnerability
ii. Define the impact levels (qualitative, L, M, H) -> explain the meaning of each level in this context/scenario.
4. Non-technical/Executive summary
· Main findings
· Risk treatment recommendation (pick some options from the 5)
References
Information Security Management
Submitted to :
Submitted by:
Table of Contents
INTRODUCTION 3
RISK ASSESSMENT
4
Owner Specification:
5
Assets:
6
Risk Assessment Process:
6
Vulnerabilities 7
Risk Identification using Boston Grid
9
CONCLUSION:
1
0
REFRENCES:
11
INTRODUCTION
Cloud services is as facilities accessible via an isolated cloud computing server slightly than an on the spot server. The mountable resolution completed by a third party and provide users with access to computing services such as networking via cyberspace. XYZCLOUD is an big organization of cloud facilities in our town. That organization gives a protected storage and simulated server facilities to both specific clients and company. And its present structure shows that lots of data can be stored in cloud storage and Mysql Database and admin user and human resource user can handle the data with appropriate manner . firewall or router can be protected with external malware and virus and provides security. In database have stored all personal information about clients and employee . and most popular mail server Microsoft exchange server can be used to exchanging their data and huge information. To complete this work, paper taken of ISO 27005 standard which are based on the network.
We have use Generic Risk Assignment in which lot of explore and produce a proper document. And select some of responsibilities you regularly do and write a general assessment of that task. In this risk assignment task we can follow 5 steps , firstly we can find malware and spot and find how much harmful and evaluated the risks and precautions on malware and conclusions and contrivance them. And last analysis on risk assessment and update and effectively.
Figure : IT structure of XYZCLOUD
RISK ASSESSMENT
Not any one can promise 100% on safety of data structures. Cloud Computing Prototypical Has Convinced different features and usages methods that have higher some latest dangers and the need to check and redefine many well-defined pas’ dangers according to the prototypical (Jøsang, et-al, 2007). A risk assessment is an inspection of given task that you assume at work, that could possibly cause harm to people. Risk assignment may be several types are. (Moyo, 2005) (Moteff, et-al, 2005)
· Identifying the potential threats:
Workroom Threats can arise in different methods, such as carnal, mental, biological, and organic, to name just a few. Threats can be identified by manipulation a number of procedures, though, one of the most common remains walking around the workroom to see immediate any processes, happenings or substances that may injure or cause infect to member of staff, Human resource (Moteff, et-al, 2005). If you can work in similar environment every day, then you may miss some threads. IEC27005 is an Ordinary devoted entirely to data security risk management and it is very caring if you want to get a profounder vision into information safety risk assessment then behavior, therefore, the recommend looking at:
1. Non routine processes.
2. Unwanted files detect.
3. Irregular activities. (Moteff, et-al, 2005)
· Choose who might be damaged and in what way:
Identify who might be at risk spreads to full and freelance member of staff, visitors, customers, and other members of the public at workshop. You would also consider people that may not be in the office all time or at changed time. Most of malware can harm our admin and human resource pc’s and most of can harm our database and most of can harm cloud storage. For each threat we will need to realize who may be damaged, this of course, will help you to identify protective actions for regulatory a given task (Bahtit, 2013).
· Estimate the risk and choose on control actions.
Once we’ve known thread, the resulting rational step it to totally remove the related risks, though, where this is not possible, then convinced control measures would be put in place. For example, if a member of staff is can detect thread that time, they should to protect our system with this malware with the help of antivirus and other technical experts. This is first action can take by workers and protect whole system form system failure or infected by malware (Moyo, 2005).
· Examine Substitute resolutions:
Firstly, we don’t accept the threat it means conclusive that about risks are get in doing corporate and that the paybacks of an action offset the possible threat. And avoiding a risk because our organization has not been the part of this type of threat or action (Agrawal, 2017). Risk regulator includes inhibition or movement, which is falling the effect it resolves have if it does occur. Risk transmits include giving responsibility for any harmful results to another organization, as case when a company takes insurance (Agrawal, 2017).
· Choose which resolution to custom and implement the situation:
Firstly, all practical possible resolutions are recorded, choice the one that is most expected to reach desired results. And set up authorized procedure to implement the resolution logically and dependably across the association and instigate employees each step of the system (Agrawal, 2017) (Castro, et-al, 2011).
· Display results:
Thread is most harmful to our system, risk management not a scheme that can be “completed” and elapsed about. The association, its situation, and its dangers are continually changing so the procedure would be constantly reentered (Agrawal, 2017) (Castro, et-al, 2011). That’s why we can use firewall and router (firmware v1.2) because our bulky data can store in database and cloud storage and manage all details given by other organization, customers, employees and clients. Work of firewall can’t be finished life time because of security. so please avoiding the external threat and malware as possible (Castro, et-al, 2011).
Owner Specification:
The name of owner organization is XYZCLOUD and fresh starts in Cloud Service Company in our Town. This organization have provided protected storage on cloud storage. and all information and database can handle by superuser / Admin and human resource they will check and update our database. For security they can protected our data with the help of Firewall or Firmware. Employee’s systems have a windows XP SP2 (Wahlgren, et-al, 2013). In database all information are stored of employee and customers. They use Exchange Server by Microsoft for transmitting the data. This installed window can also an authentication server for identify the employee and clients. complete server is linked to switch and routers so that they can communicate with individually additional. Router assists as entrance among internal system and the cyberspace (Wahlgren, et-al, 2013) (Faris, et-al, 2014).
Assets:
Here several assets inside an association that consume value. Risk manager, in order to perform their duties correctly, need to identify those assets that are critical to the association. The identification of various assets to an association or people is the beginning step in the risk investigation process (Faris, et-al, 2014). From assets we can choose secondary assets to use and required protection from threats on system. A threat cause can be an agent with hateful committed, an agent vulnerable to non-intentional fault, or a natural spectacle (Faris, et-al, 2014) (Medromi, et-al, 2014). A Vulnerability is a faintness that might be do exercises or oppressed to cause adverse occasion. A threat is then characterized as a likely unfavorable occasion or activity brought about by a danger source that effectively practices a specific weakness (Medromi, et-al, 2014). The probability of the danger to happen increments with the strength or inspiration of the threat source, just as with the level of weakness. related with every danger is an effect extent which communicates the immediate or roundabout misfortune coming about because of the threat event. The danger of a danger is inferred as the mix of the threat’s probability and effect extent (Medromi, et-al, 2014).
Risk Assessment Process:
· System Description.
· Threat proof of identity
· Vulnerability credentials.
· Analysis of current security pedals
· Likelihood fortitude
· Impact analysis
· Risk fortitude
· Reference of latest controls.
· Result documents (Wirtz, et-al, 2018)
We accept that weakness agendas utilized during stage 3 generally have excluded the different types of helpless security ease of use that are basics in security frameworks today (Wirtz, et-al, 2018). Thus, numerous important weakness dangers, are regularly being ignored. All together for reasonable dangers, coming about because of helpless convenience, to be caught by a danger appraisal measure it is important to expressly consider helpless security ease of use as a weakness. significant agendas should that be refreshed to incorporate such weaknesses (Wirtz, et-al, 2018).
ISO 27005
The main aim of ISO 27005 standard based on given network is to give guidelines for ISRM (Information security risk management). This standard paper supports the specified concept of ISO 27001 and also provide the satisfactory design and implementation information security. IT also define number of objectives of information security control and provide best practice controls of security (Felipe, et-al, 2019) (Omerovic, et-al, 2019).
Action based on Security Usability Vulnerabilities
SUV-A1
Sometimes users are not getting which actions for security needed for them.
SUV-A2
User don’t have knowledge about to make correct action for security.
SUV-A3
The physical and mental pressure is not tolerable for taking security action.
SUV-A4
The physical and mental pressure to making again same security actions for any project set of instances are occur which is not tolerable. (Felipe, et-al, 2019).
Conclusion based on Security Usability Vulnerabilities
SUV-C1
User don’t get the collusion for security which is needed for taking informed action.
SUV-C2
The system doesn’t provide sufficient information of security to users.
SUV-C3
The mental pressure of security conclusion which is not tolerable for users.
SUV-C4
The mental pressure to use or understand the security conclusion for any project repeated time than it create set of instances which is not tolerable.. (Felipe, et-al, 2019).
Vulnerabilities
Those Vulnerabilities take to be occupied system single of the online vulnerability databases are: (Derock, et-al, 2010)
CVE Number
Description
Published
CVE-2021-21361
The ‘com. bmuschko: gradle-vagrant-plugin’ Gradle plugin holds as information revelation vulnerability owed to the logging of the scheme environment variable quantity.
March 08,2021
CVE-2021-21331
The DatadogAPI is performed on a UNIX-like system with several users. The api is used to download a file comprising sensitive information. This sensitive information’s showing locally to additional users.
March 03,2021
CVE-2021-21315
This scheme information is an opensource collection of functions to repossess thorough hardware, system and OS data
February 16,2021
CVE-2021-2506
The Vulnerability have been Informed to disturb previous versions of QTS. If oppressed, this Unsuitable access control vulnerability could allow attackers to compromise the security of the software by gaining human rights, or reading penetrating information (Derock, et-al, 2010).
February 03, 2021
Risk Identification using Boston Grid
All Risk identify with different levels, using Boston grid are:
· Red Cell shows the all risks for a Risk Agent.
· Green Cell shows the which risk is for Risk Motivations.
· Sky-Blue Cell shows no relation between Risk Motivations and risk.
CONCLUSION:
Cycloid can provide such services like storing our data in database in cloud and also provide security and protection. The significant factors in any cooperation such as arena of business, quantitative and monetary authorization is completely done by the Data security. As the hallmark remains the customer’s satisfaction, data security provides every facility to make customers feel the satisfaction in their data storage, accessing of information and confidential data as an instance. Disapproval is a major issue showed by several data security associations by several individuals as well as the team programmers. To lessen the risk factor of leakage of data, a compelling data security access the best framework coordinated by executive criteria of working. The major work organization should do is to resolve the problems in the feature of data security to gain the trust of customers. There ought to be a clear arrangement for data security to keep the data under complete privacy. Therefore, data security is a significant way to secure every kind of data and to be under privacy and it is also a great help for every institution, client and individuals. The trending associations depend on the security, privacy and data configuration of the application. The data utilization and innovation for every step increases the productivity of the business and hence develop the organization. It increases the risk factor to make understanding lack in an organization about data security, usage of portable force of labors. There should be ample knowledge on data crew lacking and security issues regarding the same. Implementation of the applications and interactions of the clients for the information of data security in a wide arena due to adequate manipulation and implementation of the data security. There should be a guarantee by the organization that data security is not leading to any particular leakage problem to anyone and hence is not any severe mechanical issue. The best theory of the data security and the proposal is to attain a great significance of data security for every client to make business a level up with technological advancement.
REFRENCES:
· Jøsang, A., AlFayyadh, B., Grandison, T., AlZomai, M. and McNamara, J., 2007, December. Security usability principles for vulnerability analysis and risk assessment. In Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007) (pp. 269-278). IEEE.
· Moyo, M., Abdullah, H. and Nienaber, R.C., 2013. Information security risk management in small-scale organisations: A case study of secondary schools computerised information systems(pp. 1-6). IEEE.
· Moteff, J., 2005, February. Risk management and critical infrastructure protection: Assessing, integrating, and managing threats, vulnerabilities and consequences. Library of Congress Washington DC Congressional Research Service.
· Bahtit, H. and Regragui, B., 2013. Risk Management for ISO27005 Decision Support. International Journal of Innovative Research in Science, Engineering and Technology.
· Agrawal, V., 2017, June. A framework for the information classification in ISO 27005 Standard. In 2017 IEEE 4th International Conference on Cyber Security and Cloud Computing (CSCloud) (pp. 264-269). IEEE.
· Castro, A.R. and Bayona, Z.O., 2011. Gestión de Riesgos tecnológicos basada en ISO 31000 e ISO 27005 y su aporte a la continuidad de negocios. Ingeniería, 16(2), pp.56-66.
· Wahlgren, G., Bencherifa, K. and Kowalski, S., 2013. A framework for selecting IT security risk management methods based on ISO27005. In MIC-CPE 2013: 6th International Conference on Communications, Propagation and Electronics, Kenitra, Morocco, 1-3 Februari, 2013. Academy Publisher.
· Faris, S., Medromi, H., El Hasnaoui, S., Iguer, H. and Sayouti, A., 2014. Toward an effective information security risk management of universities’ information systems using multi agent systems, ITIL, ISO 27002, ISO 27005. Editorial Preface, 5(6).
· Medromi, H. and Sayouti, A., 2014. An Integrated use of ISO27005, Mehari and Multi-Agents System in order to Design a Comprehensive Information Security Risk Management Tool.
· Wirtz, R., Heisel, M., Borchert, A., Meis, R., Omerovic, A. and Stølen, K., 2018, March. Risk-based elicitation of security requirements according to the ISO 27005 standard. In International Conference on Evaluation of Novel Approaches to Software Engineering (pp. 71-97). Springer, Cham.
· Felipe, M.S.I., Andrés, L.V.S. and Raúl, B.G., 2019, October. Risks Found in Electronic Payment Cards on Integrated Public Transport System Applying the ISO 27005 Standard. Case Study Sitp DC Colombia. In 2019 Congreso Internacional de Innovación y Tendencias en Ingenieria (CONIITI) (pp. 1-6). IEEE.
· Derock, A., Hebrard, P. and Vallée, F., 2010, May. Convergence of the latest standards addressing safety and security for information technology. In ERTS2 2010, Embedded Real Time Software & Systems.
· Omerovic, A. and Stølen, K., 2019, June. Risk-Based Elicitation of Security Requirements According to the ISO 27005 Standard. In Evaluation of Novel Approaches to Software Engineering: 13th International Conference, ENASE 2018, Funchal, Madeira, Portugal, March 23–24, 2018, Revised Selected Papers (Vol. 1023, p. 71). Springer.
1
