Asset-based risk assessment and control
Objectives:
This assessment is designed to assess your level of understanding of the following topics:
- Information asset identification and classification.
- Information threat identification and classification.
- Asset-based risk assessment.
- Discuss risk control strategies and evaluate risk controls using cost-benefit analysis.
- Discuss the limitation of the current risk assessment and control approaches
The task
Step-1: Asset identification and classification
To perform the task, you have worked with the company to identify their information assets. After explaining to the company's staff about different types of information assets, you have asked them to come up with a list of information assets that they can identify. A week later you have the list of information assets as identified by different company's departments. The assets however are not listed with enough information so you need to add the missing information based on your judgement and then perform the asset classification. You will use an Excel worksheet to help to with this task. The worksheet with the asset list can be downloaded from the unit website.
For each asset in the list, you need to:
- Determine if the asset is relevant.If not the highlight it with red ink and set the classification column to NOTrelevant. If the asset is relevant, continue to:
- Provide a meaningful description for the asset e.g. what's it used for, what's included etc.
- Determine the asset location and ownership
- Assign a unique ID for the asset. Each id should give some hint about the asset. For instance HW.IN.01 can be interpreted as Hardware Asset number 1 for Internal Use.
- Determine the impact factors for the asset. In practice, you will have to consult the company manager in this step. In this assignment, you can assign the factor value based on your understanding and experience about each asset. You also use the public domain to help you in some cases. After you have entered the impact factors, the overall impact will be automatically computed based on the weight of each factor in the Settings sheet.
- You then sort the asset based on the overall impact factor in the descending order.
Step-2: Threat identification and classification
After you have identified and classified the information assets, you will perform the threat identification and classification. Navigate to the Classified Threat List sheet of the Excel worksheet. In this sheet, the common threats to information security have been listed. This is not a complete list so you can add new threats that you have identified.
For each threat in the list, you have to:
- Determine if the threat is relevant to the company context. If not the highlight it with red ink and set the relevance column to NOTrelevant. If the threat is relevant, set the degree of relevance and continue to:
- Assign the threat to its corresponding category.
- Assign a unique ID to the threat
- Assign the impact factor values to the threat. In practice, you will need to consult the company managers, security experts, service providers, and hardware and software vendors to determine these values. In this assignment, use your knowledge, experience, and public domain to help you with the task. The threat overall impact will be calculated automatically using the weights in the Settings sheet.
- Finally, sort the threat based on the overall impact factor in the descending order.
Step 3: Asset-based risk assessment
Once if you classified the assets and threats, you will select the most important assets and the most dangerous threats for risk assessments. Doing risk assessment for every threat and asset pair in most situation is not practical and not necessary due to the cost-benefit balance. In most cases, money is invested to protect most valuable assets from most dangerous threats.
In this assignment, you will select the top of 10 most important assets and 10 most dangerous threats to perform the risk assessment. Navigate to the TVA-Mapping sheet and replace the asset and threat cells with the corresponding threat and asset ID. Next, identify if there is any vulnerability exits for each threat-asset pair. Write down the number of vulnerability in the corresponding cell of each pair or colour the cell with green ink if no vulnerability exists. Once if you have done this mapping, navigate to the Risk Assessment sheet.
In the Risk Assessment sheet, you need to note down the detail of each vulnerability, estimate the impact of each vulnerability, its likelihood, the amount of risk due to the current risk control and the amount of risk due to the error in your estimation.The risk value will be calculated automatically after all values have been provided. The vulnerability impact value can be estimated from the asset impact value, and the likelihood value from the likelihood of the threat. Note that the likelihood of a vulnerability depends not only on the likelihood of the threat but also on other factors like the threat agent and the level of defence. In practice, statistical analysis, simulations and other techniques are used to carry out these estimations. In this assignment, however you will estimate these values directly from the asset impact values and the threat likelihood by assuming that the current level of control has uniformly reduced the probability of any threat to be exploited to 50%. We also assume that the estimation error is 20% for all cases.
After you have finished the risk value estimation for all identified vulnerabilities, sort the vulnerabilities by their risk value in the descending order and report the top five vulnerabilities.
Now, instead of using the risk formula to estimate risk values, use the quantitative risk analysis matrix for the task. In the quantitative risk analysis matrix method, you need to rate each vulnerability using the five-scale ratting scheme and work out the corresponding level of the risk for each vulnerability. After you have finished ratting the vulnerabilities using this method, sort the vulnerabilities by the risk levels from the extreme to very-low.
- Note down the top five vulnerabilities and report if they are different to the previously identified fives. (150 words)
- Finally, write a short paragraph to discuss the advantage and disadvantage of each risk value estimation method. (150 words)
Step 4: Risk control
Assume that after you present your risk analysis to the company managers, the company is willing to accept a moderate level of risk with a limited investment on risk control. Discuss which strategy option you would choose to protect the high-risk information assets.
Attachment:- Risk_Assessment.rar