Assignment:

Background

This is an individual research project. The objective of the research project is to develop an Information Asset Risk Assessment Report for an organization of your choosing, The analysis should be conducted using only publicly available information (that is, information obtainable on the Internet, company reports, news reports, journal articles, etc.). The risk analysis should consider legitimate, known threats that pertain to the subject organization. Based on the information gathered, presumed vulnerabilitiesof the company or organization's computing and networking infrastructure will be identified. Then, based on the identified threats and vulnerabilities, you will describe the risk profile for the subject organization and suggest recommendations to mitigate the risks.

Your report should be 12 pages, double-spaced, exclusive of cover, title page, table of contents, endnotes, and bibliography. Your paper must use APA formatting with the exception that tables and figures can be inserted at the appropriate location rather than added at the end.

1. PROJECT PROPOSAL

Write (a page and half) Project Proposal, indicating the name and relevant aspect(s) of the organization you intend to use as a subject for your report. The Project proposal must be accompanied by an annotated bibliography and must be submitted for a review before proceeding to No.2 (Risk Assessment Report).

i. The project proposal should be a page and half (double spaced) description of the organization that you propose to analyze, with a summary of the scope (e.g., entire organization, key business area, major system, etc.) for the risk assessment you are expected to conduct.

ii. The proposal should identify the subject organization with a brief explanation of why you chose the subject for this assignment.

iii. The proposal should also describe the research methods to be used and anticipated sources of research information sources. An important step in developing your Risk Assessment Report will be the construction of an Annotated Bibliography. Having developed and described a subject organization and scope of analysis in the proposal, the next step is to identify and assess the value of potential research material.

iv. You should identify five (5) to six (6) significant articles relevant to your subject organization and to identifying and assessing risks in

a context like the scope of your report.

v. For a report of this nature, you may expect to find useful sources in both business-focused (e.g., Business Source Premier, Business and Company Resource Center, ABI/Inform) and technically focused databases (e.g., ACM Digital Library, IEEE, Gartner.com).

vi. The annotated bibliography will consist of 100 to 250 words per article, that describe the main ideas of the article, a discussion of the usefulness of such an article in understanding various aspects of your report, and other comments you might have after reading the article. For each article, there should be a complete reference in APA format. Your Annotated Bibliography will then form the basis of the sources for your report. (You may also supplement the references used in your report with additional reference material.)

Some excellent guidance on how to prepare an annotated bibliography can be found at https://www.library.cornell.edu/research/citation/tutorial.

2. RISK ASSESSMENT REPORT

The Risk Assessment Report should be a polished, graduate-level paper. You must submit the report to Turnitn.com to improve the originality score before submitting the report in the Assignment Folder. The lower the originality score the better it is. You should aim for an originality score of 10%.

Risk Assessment Report Overview

The objective of this assignment is to develop a Risk Assessment Report for a company, government agency, or other organization (the "subject organization"). The analysis will be conducted using only publicly available information (e.g., information obtainable on the Internet, company reports, news reports, journal articles, etc.) and based on judicious, believable extrapolation of that information. Your risk analysis should consider subject organization information assets (computing and networking infrastructure), their vulnerabilities and legitimate, known threats that can exploit those vulnerabilities. Your assignment is then to derive the risk profile for the subject organization. Your report should also contain recommendations to mitigate the risks.

There is a wealth of business-oriented and technical information that can be used to infer likely vulnerabilities and assets for an organization. It is recommended that students select their organizations based at least in part on ease of information gathering, from a public record perspective.

Steps to be followed:

1. Pick a Subject Organization: Follow these guidelines:

a. No insider or proprietary information. All the information you collect must be readily available for anyone to access. You will describe in your proposal how you intend to collect your information.

b. You should pick a company or organization that has sufficient publicly available information to support a reasonable risk analysis, particularly including threat and vulnerability identification.

2. Develop Subject Organization Information: Examples of relevant information includes:

a. Company/Organization name and location

b. Company/Organization management or basic organizationstructure

c. Company/Organization industry and purpose (i.e., the nature of itsbusiness)

d. Company/Organization profile (financial information, standing in itsindustry, reputation)

e. Identification of relevant aspects of the company/organization's computing and network infrastructure. Note: Do not try to access more information through Social Engineering, or through attempted cyber-attacks or intrusionattempts.

3. Analyze Risks

a. For the purposes of this assignment, you will follow the standard risk assessment methodology used within the U.S. federal government, as described in NIST Special Publication 800-30 (United States. National Institute of Standards and Technology (2002). Risk Management Guide for Information Technology Systems (Special Publication 800-30).

b. In conducting your analysis, focus on identifying threats and vulnerabilities faced by your subject organization.

c. Based on the threats and vulnerabilities you identify, next determine both the relative likelihood and severityof impact that would occur should each of the threats materialize. This should produce a listing of risks, at least roughly ordered by their significance to theorganization.

d. For the risks you have identified, suggest ways that the subject organization might respond to mitigate the risk.

4. Prepare Risk Assessment Report

a. Reports should be 12 pages (exclusive of cover, title page, table of contents, endnotes, and bibliography), double-spaced, and should follow a structure generally corresponding to the risk assessment process described in NIST Special Publication 800-30.

b. The report should be prepared using the APA Style. All sources ofinformation should be indicated via in-line citations and a list of references.