Question

Make a Risk Management Plan for your Valuable IT Assets at Home

. a. Identify Assets and their Value, Classify, Prioritize them

b. Identify Threats and Priorities

c. Specify Asset Vulnerabilities

d. Calculate Risk (show all calculations)

e. Select Control Strategies for Mitigating, Treating and Reducing Risk

You would be submitting following documents as outcomes of your activity. Each document has 5 marks.

a. Information Asset Classification Worksheet

b. Weighted Factor Analysis Worksheet

c. TVA Spreadsheet

d. Ranked Vulnerability Risk Worksheet

e. Risk Matrix f. Chart of Risk Controls Strategies with Controls

Answer 1

Risk management is the process of assessing the risks to an entity's information and determining how those risks can be controlled or mitigated.

To ensure that an information asset is identified and named at a consistent level of detail, the below guidelines are recommended:

⦁    An information asset is a logical concept
⦁    An information asset should be named using nouns
⦁    An information asset is named independently of any system or application
⦁    An information asset has value if it is actively used
⦁    An information asset should represent a collection of information
⦁    An information asset should be recorded if the status of the information set remains unclear

After an information asset is identified and named using the guidelines above, it should then be classified according to the Information classification framework. The inventory should also reflect each asset’s sensitivity and security priority. A classification scheme categorizes information assets based on their sensitivity and security needs – each of these categories designates the level of protection needed for a particular information asset. Classification categories must be comprehensive and mutually exclusive. Comparative judgments are made to ensure that the most valuable information assets are given the highest priority.

A sample classification is given below:

Information assets	Data classification	Impact to profitability
Information transmitted
Document Set 1	Confidential	High
Customer order	Confidential	Critical
Secure assets
Laptop	Private	High
Router	Public	Critical

The next step is to list the assets in order of importance and this can be achieved by using a Weighted Factor Analysis (WFA) worksheet as per the sample below:

Information asset	Criterion1: Impact on Revenue	Criterion1: Impact on Profitability	Criterion1: Impact on Public Image	Weighted Score
Criterion weight (1-100)	30	40	30
Document Set 1 - Bills	0.8
Document Set 2 - Orders	0.8
Customer order via email	0.4

Threat Assessment is consists of identifying the potential threats and examining it to determine its potential to affect the concerned information asset. Vulnerabilities are specific avenues that threat agents can exploit to attack an information asset. At the end of the risk identification process, a list of assets and their vulnerabilities is developed. Another list prioritizes threats facing the organization based on the weighted table. These can be combined into the TVA worksheet as per the template below:

	Asset 1	Asset 2		Asset n
Threat 1
Threat 2
Threat n
Priority of Controls	1	2

The next step is to evaluate the relative risk of each listed vulnerability. Using the information documented during the risk identification process, you can assign weighted scores based on the value of each information asset.

Some questions to ask when assigning likelihood values: 1) Which threats present a danger to the assets in the given environment? 2) Which threats represent the most danger to the information? 3) How much would it cost to recover from a successful attack? 4) Which threats would require the greatest expenditure to prevent?

Using the below formula to rank the vulnerabilities and arrive at the Ranked Vulnerability Risk Worksheet:

Risk = (Value x Likelihood) – [(Value x Likelihood) x %Control] + [(Value x Likelihood) x Uncertainty]

For example, if Asset A has a value of 50 and has one vulnerability, which has a likelihood of 1.0 with no current controls and your assumptions and data are 90% accurate, the Vulnerability Rank = (50 × 1.0) – [(50 × 1.0)x0%] + [(50 × 1.0)x10%] = (50) – 0 + 5 = 55