Cybersecurity risk management
ladypatty2003
RiskAssessmentTemplate.docxRunning Head: Risk Assessment – <name of organization> 2
Risk Assessment on <name of organization>
<student name>
UMGC
<date of submission>
Abstract
The purpose of your abstract is to provide a brief yet thorough overview of your paper. The APA standards suggest that your abstract should function much like your title page—it should allow the person reading it too quickly determine what your paper is about – think of it much like the conclusion, but with the added intent to address the who/what/why of what follows.
Table of Contents
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1. Introduction
1.1 Purpose…<state the purpose of the risk assessment, including to identify threats and vulnerabilities related to the organization and/or sector of business>.
1.2 Scope…<state the scope of the risk assessment. Most large organizations encompass many business functions, and this is where you identify which operations your assessment will focus on. For instance, Amazon as a corporation includes eCommerce, cloud computing, digital streaming, and artificial intelligence services.>
1.3 Objective…<state the why this risk assessment is being performed. Since this risk assessment is focused on information systems, it is best to cite relevant breaches within the sector.>
1.4 Background…<describe the past and current health of the organization>.
2. Risk Assessment Approach
2.1 The participants (e.g., risk assessment team members)
|
Role |
Name |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Table-2.1 Risk Assessment Team Members
2.2 The Risk Model
Identify the methodology and/or framework used for this risk assessment (e.g., NIST SP800-30r1, 800-39, etc.). Describe whether the assessment will be quantitative or qualitative (or both).
3. Risk Assessment
<State the importance of this Risk Assessment. For instance, ‘a comprehensive risk assessment on the information systems of an organization is vital in the creation of a reliable and trustworthy security system. Setting up a secure framework is important, but equally as important is the monitoring and evaluation of potential threats and vulnerabilities that may assail the system. Security controls identified based on known risks need to be implemented and maintained’.>
3.1 STEP 1: System Characterization
<Provide a thorough explanation of the information systems that support the scope of your risk assessment. Discuss relevant systems, including database management systems, transaction processing, and office support.>
3.1.1 Information gathering techniques
<Describe the resources that will be used to gather information for this risk assessment, including websites, periodicals, journals, and magazines.>
3.1.2 System-Related Information
<List and describe the system-related components.>
|
Component |
Description |
|
Applications |
|
|
Databases |
|
|
Server Configurations/Operating Systems |
|
|
Interconnections |
|
|
Protocols |
|
Table-3.1.2 System-Related Information
3.1.3 Data Held/Used in the System
<List and describe the different types of information and data collected by the organization.>
|
Data |
Description |
|
|
|
|
|
|
|
|
|
Table 3.1.3 Information Assets
3.1.4 System Users
<List and describe the users of the information systems.>
|
Users |
Description |
|
|
|
|
|
|
|
|
|
Table 3.1.4 System Users
3.1.5 Flow Diagram
<Create and provide a graphic to show the flow of information in/around the information systems.>
3.2 STEP 2: Threat Identification
<This section will This section will identify potential threats applicable to the system-related information for the organization.>
< Risk will be determined based on a threat event, the likelihood of that threat event occurring, known system vulnerabilities, mitigating factors, and consequences/impact to mission. The following table is provided as a list of sample threat sources. Use this table to determine relevant threats to the system.>
|
TYPE OF THREAT SOURCE |
DESCRIPTION |
|
ADVERSARIAL · Individual (outsider, insider, trusted, privileged) · Group (ad-hoc or established) · Organization (competitor, supplier, partner, customer) · Nation state |
Individuals, groups, organizations, or states that seek to exploit the organization’s dependence on cyber resources (e.g., information in electronic form, information and communications, and the communications and information-handling capabilities provided by those technologies. |
|
ADVERSARIAL · Standard user · Privileged user/Administrator |
Erroneous actions taken by individuals in the course of executing everyday responsibilities. |
|
STRUCTURAL · IT Equipment (storage, processing, comm., display, sensor, controller) · Environmental conditions · Temperature/humidity controls · Power supply · Software · Operating system · Networking · General-purpose application · Mission-specific application |
Failures of equipment, environmental controls, or software due to aging, resource depletion, or other circumstances which exceed expected operating parameters. |
|
ENVIRONMENTAL · Natural or man-made (fire, flood, earthquake, etc.) · Unusual natural event (e.g., sunspots) · Infrastructure failure/outage (electrical, telecomm) |
Natural disasters and failures of critical infrastructures on which the organization depends, but is outside the control of the organization. Can be characterized in terms of severity and duration. |
Table 3.2 Sample Threat Sources (see NIST SP 800-30 for complete list)
3.3 STEP 3: Vulnerability Identification
3.3.1 Vulnerability Sources
<This section will identify potential vulnerabilities applicable to the system-related information for the organization.>
|
Vulnerability |
Threat-Source |
Threat Action |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Table 3.3.1 Vulnerability Identification
<Write a comprehensive description of each vulnerability and the associated threat sources and threat actions listed in table 3.3.1.>
3.3.2 System Security Testing
<Describe tools and techniques that the organization could use to evaluate system security. Examples of security testing include vulnerability scanning, Security Test and Evaluation (ST&E), third party consultants, and tools including Netsparker or Acunetix.>
3.3.3 Development of Security Requirements Checklist
<Provide a checklist of security requirements suggested for use in determining the organization’s system’s vulnerabilities.>
|
Security Area |
Security Criteria |
|
Management Security |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Operational Security |
|
|
|
|
|
|
|
|
|
|
|
Technical Security |
|
|
|
|
|
|
|
|
|
|
|
|
|
Table 3.3.3 Security Requirements Checklist
3.4 STEP 4: Control Analysis
<Security controls are in place to protect the confidentiality, integrity, and availability of information within the management, operational, and technical aspects of an information system or network. The selection of appropriate security controls for an information system are based on many factors, including current security controls and the answers to the following questions:
· What security controls are needed to adequately protect the information systems that support the operations and assets of the organization and allow for organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals?
· Have the selected security controls been implemented or is there a realistic plan for their implementation?
· What is the desired or required level of assurance (i.e., grounds for confidence) that the selected security controls, as implemented, are effective5 in their application?>
3.4.1 Control Methods
<Describe a strategic approach for mitigating risk, including:
· Reducing risk changes in enterprise system design and management,
· Reducing risk through improved risk information management,
· Neutralizing risk through diversification across enterprises, space, and time, and
· Retain risk (accepting risks as they exist).>
3.4.2 Control Categories
<Describe how the organization will use system controls and security testing to fortify their information systems with both preventative controls and detective controls.>
3.5 STEP 5: Likelihood Determination
<List and define the level of likelihood that an exploit can be exercised. Each level of likelihood should be assigned an expected value in order to drive a more quantitative-based analysis.>
|
Qualitative Values |
Semi-Quantitative Values |
Description |
|
|
Very High |
96-100 |
10 |
Adversary is almost certain to initiate the threat event. |
|
High |
80-95 |
8 |
Adversary is highly likely to initiate the threat event. |
|
Moderate |
21-79 |
5 |
Adversary is somewhat likely to initiate the threat event. |
|
Low |
5-20 |
2 |
Adversary is unlikely to initiate the threat event. |
|
Very Low |
0-4 |
0 |
Adversary is highly unlikely to initiate the threat event |
Table 3.5.1 Assessment Scale – Likelihood of Threat Event Initiation (Adversarial)
|
Qualitative Values |
Semi-Quantitative Values |
Description |
|
|
Very High |
96-100 |
10 |
Error, accident, or act of nature is almost certain to occur; or occurs more than 100 times per year. |
|
High |
80-95 |
8 |
Error, accident, or act of nature is highly likely to occur; or occurs between 10-100 times per year. |
|
Moderate |
21-79 |
5 |
Error, accident, or act of nature is somewhat likely to occur; or occurs between 1-10 times per year. |
|
Low |
5-20 |
2 |
Error, accident, or act of nature is unlikely to occur; or occurs less than once a year, but more than once every 10 years. |
|
Very Low |
0-4 |
0 |
Error, accident, or act of nature is highly unlikely to occur; or occurs less than once every 10 years. |
Table 3.5.2 Assessment Scale – Likelihood of Threat Event Occurrence (Non-adversarial)
3.6 STEP 6: Impact Analysis
<The list below defines the impact of an exploited vulnerability. This table is used to assign impact to the vulnerability.>
|
Qualitative Values |
Semi-Quantitative Values |
Description |
|
|
Very High |
96-100 |
10 |
The threat event could be expected to have multiple severe or catastrophic adverse effects on organizational operations, organizational assets, individuals, other organizations, or the Nation. |
|
High |
80-95 |
8 |
The threat event could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, other organizations, or the Nation. A severe or catastrophic adverse effect means that, for example, the threat event might: (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries. |
|
Moderate |
21-79 |
5 |
The threat event could be expected to have a serious adverse effect on organizational operations, organizational assets, individuals other organizations, or the Nation. A serious adverse effect means that, for example, the threat event might: (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious life threatening injuries. |
|
Low |
5-20 |
2 |
The threat event could be expected to have a limited adverse effect on organizational operations, organizational assets, individuals other organizations, or the Nation. A limited adverse effect means that, for example, the threat event might: (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals. |
|
Very Low |
0-4 |
0 |
The threat event could be expected to have a negligible adverse effect on organizational operations, organizational assets, individuals other organizations, or the Nation. |
Table 6.1: Assessment Scale – Impact of Threat Events
3.7 STEP 7: Risk Determination
<Risk determination evaluates the Likelihood of the exploited threat and the Impact of the exploited vulnerability. The likelihood level is assigned a value of (1.0 for High), (0.5 for a Medium), and (0.1 for a Low rating.) The magnitude of the Impact is placed on a scale of 0-100 (High 100, Medium 50, Low 10.). Table 3.7 below illustrates the risk determination.>
|
Qualitative Values |
Semi-Quantitative Values |
Description |
|
|
Very High |
96-100 |
10 |
Threat event could be expected to have multiple severe or catastrophic adverse effects on organizational operations, organizational assets, individuals, other organizations, or the Nation. |
|
High |
80-95 |
8 |
Threat event could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, other organizations, or the Nation. |
|
Moderate |
21-79 |
5 |
Threat event could be expected to have a serious adverse effect on organizational operations, organizational assets, individuals, other organizations, or the Nation. |
|
Low |
5-20 |
2 |
Threat event could be expected to have a limited adverse effect on organizational operations, organizational assets, individuals, other organizations, or the Nation. |
|
Very Low |
0-4 |
0 |
Threat event could be expected to have a negligible adverse effect on organizational operations, organizational assets, individuals, other organizations, or the Nation. |
Table 7.1 Assessment Scale – Level of Risk
|
Likelihood (That Occurrence Results in Adverse Impact) |
Level of Impact |
||||
|
|
Very Low |
Low |
Moderate |
High |
Very High |
|
Very High |
Very Low |
Low |
Moderate |
High |
Very High |
|
High |
Very Low |
Low |
Moderate |
High |
Very High |
|
Moderate |
Very Low |
Low |
Moderate |
Moderate |
High |
|
Low |
Very Low |
Low |
Low |
Low |
Moderate |
|
Very Low |
Very Low |
Very Low |
Very Low |
Low |
Low |
Table 7.2: Assessment Scale – Level of Risk (Combination of Likelihood and Impact)
3.7.1 Description of Risk Level
<Determine relevant threats to the Information Systems (IS). List the risks to the IS in the Risk Assessment Results table below and detail the relevant mitigating factors and controls. Refer to NIST SP 800-30 for further guidance, examples, and suggestions.>
|
Threat Event |
Vulnerabilities / Predisposing Characteristics |
Mitigating Factors |
Likelihood (Tbl 3.5.1 or 3.5.2) |
Impact (Table 6.1) |
Risk (Tbl 7.1 & 7.2) |
|
e.g. Hurricane |
Power Outage |
Backup generators |
Moderate |
Low |
Low |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Table 7.3 Risk Assessment Results
* Likelihood / Impact / Risk = Very High, High, Moderate, Low, or Very Low
3.8 STEP 8: Control Recommendations
<The purpose of this section is to provide recommendations of controls for the information system with the intent to reduce risk from identified vulnerabilities by mitigating threats against the organization.>
3.9 STEP 9: Results Documentation
< This section provides the results of the risk assessment that describes the threats and vulnerabilities, measures the risk, and provides recommendations for control implementation.>
References
<List all resources in accordance with the APA standards for writing.>
Sources:
NIST SP800-30r1; Guide for Conducting Risk Assessments
NIST SP800-53r4; Security and Privacy Controls for Information Systems and Organizations
