In: Operations Management
Make a Risk Management Plan for your Valuable IT Assets at Home
. a. Identify Assets and their Value, Classify, Prioritize them
b. Identify Threats and Priorities
c. Specify Asset Vulnerabilities
d. Calculate Risk (show all calculations)
e. Select Control Strategies for Mitigating, Treating and Reducing Risk
You would be submitting following documents as outcomes of your activity. Each document has 5 marks.
a. Information Asset Classification Worksheet
b. Weighted Factor Analysis Worksheet
c. TVA Spreadsheet
d. Ranked Vulnerability Risk Worksheet
e. Risk Matrix f. Chart of Risk Controls Strategies with Controls
Risk management is the process of assessing the risks to an entity's information and determining how those risks can be controlled or mitigated.
To ensure that an information asset is identified and named at a consistent level of detail, the below guidelines are recommended:
⦁ An information asset is a logical
concept
⦁ An information asset should be named using
nouns
⦁ An information asset is named
independently of any system or application
⦁ An information asset has value if it is
actively used
⦁ An information asset should represent a
collection of information
⦁ An information asset should be recorded if
the status of the information set remains unclear
After an information asset is identified and named using the guidelines above, it should then be classified according to the Information classification framework. The inventory should also reflect each asset’s sensitivity and security priority. A classification scheme categorizes information assets based on their sensitivity and security needs – each of these categories designates the level of protection needed for a particular information asset. Classification categories must be comprehensive and mutually exclusive. Comparative judgments are made to ensure that the most valuable information assets are given the highest priority.
A sample classification is given below:
Information assets | Data classification | Impact to profitability |
Information transmitted | ||
Document Set 1 | Confidential | High |
Customer order | Confidential | Critical |
Secure assets | ||
Laptop | Private | High |
Router | Public | Critical |
The next step is to list the assets in order of importance and this can be achieved by using a Weighted Factor Analysis (WFA) worksheet as per the sample below:
Information asset | Criterion1: Impact on Revenue | Criterion1: Impact on Profitability | Criterion1: Impact on Public Image | Weighted Score |
Criterion weight (1-100) | 30 | 40 | 30 | |
Document Set 1 - Bills | 0.8 | |||
Document Set 2 - Orders | 0.8 | |||
Customer order via email | 0.4 |
Threat Assessment is consists of identifying the potential threats and examining it to determine its potential to affect the concerned information asset. Vulnerabilities are specific avenues that threat agents can exploit to attack an information asset. At the end of the risk identification process, a list of assets and their vulnerabilities is developed. Another list prioritizes threats facing the organization based on the weighted table. These can be combined into the TVA worksheet as per the template below:
Asset 1 | Asset 2 | Asset n | ||
Threat 1 | ||||
Threat 2 | ||||
Threat n | ||||
Priority of Controls | 1 | 2 |
The next step is to evaluate the relative risk of each listed vulnerability. Using the information documented during the risk identification process, you can assign weighted scores based on the value of each information asset.
Some questions to ask when assigning likelihood values: 1) Which threats present a danger to the assets in the given environment? 2) Which threats represent the most danger to the information? 3) How much would it cost to recover from a successful attack? 4) Which threats would require the greatest expenditure to prevent?
Using the below formula to rank the vulnerabilities and arrive at the Ranked Vulnerability Risk Worksheet:
Risk = (Value x Likelihood) – [(Value x Likelihood) x %Control] + [(Value x Likelihood) x Uncertainty]
For example, if Asset A has a value of 50 and has one vulnerability, which has a likelihood of 1.0 with no current controls and your assumptions and data are 90% accurate, the Vulnerability Rank = (50 × 1.0) – [(50 × 1.0)x0%] + [(50 × 1.0)x10%] = (50) – 0 + 5 = 55