Risk Assessment Assignment

Risk Assessment Assignment You will be performing steps 1-3 for this assignment for the scenario that follows.

Grading: For this assignment, you may want to reflect on two facets from our course thus far: (1) the risk assessment worksheet and activity, and (2) risk assessment methods and criteria presented in your textbook and from the lectures (such as OCTAVE; for more information see: http://www.cert.org/octave/). Like all qualitative assignments and case studies, not all the information is going to be explicit. You have to make logical inferences about things that are implied or implicit, and also weed out irrelevant information and focus in on what the important issues are. You might want to write a short section that states your assumptions at the beginning of your paper. That will help me determine where you are coming from if I have question about the path you went down. You will be judged on the quality and accuracy of the risks in your assessment and how well you justify them. You will be required to pick a risk assessment method presented in your textbook and use it as a framework or set of criteria, and briefly explain the method/criteria chosen, and outline your risk assessment according to it. There is no minimum or maximum length for the paper, but to do a good job, as a point of reference, it would take me about 6 or 7 pages. Also, the format is up to you (and the risk method you choose).

Scenario – Risk Assessment The Case of the Becoming Company

The Company Mission Statement

“Conscious life means the return of cosmic being as human becoming. Spirit appears in time as a product-even as a by-product of nature, yet it is in spirit that nature in its endless dynamic is timelessly enveloped. And so, Man is always becoming” (Martin Buber).

Always becoming reflects Man’s inherent need to grow, learn, and change. The Becoming Company provides a full line of developmental resources that help drive one’s becoming. We not only provide it, we live it.

Scenario The Becoming Company is a full service provider for a line of developmental training and inspirational materials including videos, music, and books called Drive Change. The idea grew out Ann Roger’s personal interest after years of struggling against generalized anxiety disorder and depression. Years of counseling and pharmacological treatment had little effect on her outlook, until one day she read a research study on biofeedback that described a therapy for changing thought patterns and habits which ultimately leads to “rewiring” in the brain allowing new positive patterns of thought to emerge and become habituated. Ann created her own therapy out of an eclectic collection of materials –videos, music, dietary information, exercise programs, and books, along with a schedule for her daily treatment and a mantra filled with affirmations to use each time negative thoughts would intrude. Over time she mitigated her condition and found fulfillment and happiness in her life. Ann decided to share her experience, materials, and therapy with others. She incorporated as a Woman-Owned S- Corporation, got a Small Business Administration (SBA) loan for $350,000 and opened a shop with an office in her hometown of Burlington near Boston. Burlington is the location of many high-technology companies and upper-middle class well-educated hardworking and stressed-out people. To run her business, she purchased a computer (she calls the back office computer) and the necessary peripherals for faxing, printing and so on, and a Point of Sales computer. She hired a staff of three people, Larry, Curly and Moe, to work the counter and cash register, and handle various other tasks, including accessing the back office computer when needed for things like creating invoices or letters to mail. Moe is the supervisor in charge when Ann is not in the store. Moe has a Master’s degree in horticulture from Northeastern University, but likes to tinker with computers. Larry and Curly like to tinker too, and Curly sometimes uses the back office computer for surfing the Internet for fishing gear and other such items. The following describes her systems and configuration.

Ann purchased a Dell OptiPlex 390 computer (visit www.dell.com for more information) for keeping the accounting books and records, such as sales transactions, and performing basic office functions such as word processing and spreadsheets.

The software on this system consists of Microsoft Windows 7 professional edition with the canned software including the Microsoft Office, along with an 8x5 support and maintenance contract that allows her to upgrade her software at a reduced rate. For accounting and keeping track of sales transactions, she uses a custom program written by her nephew, Bob, who is a sophomore computer science student at Boston University. The program is written in Microsoft Visual Basic .NET and uses Microsoft Access as the database. She stores her business records and invoices as plain files (e.g. text and Microsoft Word documents) in various directories. She does not use an encrypted file system. She relies on conventional firewall and virus scanner for security. For that, she uses the free version of ZoneAlarm for a firewall, and the free version of AVG for virus scanning. She also does backups to flash drives weekly, which she keeps at home in a desk drawer. Ann uses the basic Windows login password for Administrator using her pet cat’s name, “Fluffy”, as the password. Only she knows the administrator password. She has a user account, called “Assistant” to enable her staff of three (Larry, Curly, and Moe) to login and work on the computer to do basic things –use the Internet, create files, etc. The system is connected to the Internet through a local service provider using a wireless network connection. The wireless connection is Wired Equivalent Privacy (WEP)

encrypted, but she has chosen her store’s phone number as her WEP password. For the storefront, Ann purchased a small Point of Sales (POS) computer from InitiaTek, a company that specializes in POS computers and installation. The POS software runs Windows 7 in the Microsoft Virtual PC virtual machine. The configuration of the POS system consists of a self-contained cash drawer and sales register and tabulation and transaction software, written in C#.NET. This system is networked over the wireless network to the back office computer, also using WEP.

InitiaTek configured a software and network interface from the POS system tabulation and transaction software to the custom accounting application running on the back office computer so that when a transaction is “rung up” on the POS, it records it both in the POS and simultaneously passes the sales transaction to the accounting application, which records it in the Microsoft Access database.

Instructions:  Choose a method for risk assessment, and then conduct an assessment of the

security described in the previous scenario. To do this, you will complete an assessment of assets (Step 1). For step 1, you have to identify what hardware and software is in place. Make note also of what information is kept on the systems, and classify the according to sensitivity or confidentiality.

 Next, assess the vulnerability of these assets as best you can (Step 2). This

requires you to try to determine how vulnerable these assets are; for example, how is access to systems controlled? Write a brief description of the vulnerabilities.

 Then, you will try to assess the probability and severity of damage that could

occur (Step 3). In addition to the descriptive sentences, I usually like to create a

matrix for this that would show the probability of a risk (e.g. what is the probability that the risk exists AND that it will be exploited –a subjective measure that I try to quantify) and the severity of the risk if it exists.

 Finally, write up an assessment of the risk. At this point, you are only interested in

the risks, NOT in the security measures you would implement to resolve them (we will get to that later).

So, your assignment should consist of:

1. A chosen method for risk assessment, explained and used. 2. List of assets 3. Risk/Vulnerability assessment statements (according to your chosen method) 4. A brief assessment of probability and severity of damage in the event of a

security incident 5. A write up of the assessment

Submit your assignment as a Word or PDF document. Your assignment will be judged: 50% for method properly used, 50% for write up (accuracy and professionalism of the product).