Let's do some risk analysis on a school's information assets. The school stores many types of about students and three of these are: identification information (name, address, SIN, telephone numbers etc.), IT information (username, password, email services, etc.), and financial information (tuition, student loans, banking information, etc.)
a. For EACH of the three types of information describe who would want to illegally access this type of information and why?
b. Consider what the impact would be for EACH of the three types of information mentioned above if the information was improperly accessed or damaged. Is the impact Catastrophic (expose school to serious lawsuits, loss of reputation, and/or information cannot be recreated), Serious (some exposure to lawsuits, loss of reputation and/or information is expensive to recreate), or No BigDeal (small chance of lawsuits, information can easily be recreated). Be sure to justify your choice for each type of information.
c. Now consider what the likelihood is that EACH type of information could be accessed or damaged: not likely, moderately likely, very likely. Justify why you think the information fits in that category.
d. Now let's look at how we can manage the risk. Basic techniques are: avoiding the risk, modifying the risk (impact and/or likelihood), transferring the risk to others, and accepting the risk. What techniques would you use for EACH of the types of information and how would you implement it?