Question

Risks for Information Assets (Data files, Databases, Operational and support procedures, Archives, Disaster management plans) in a small to medium business include Data Theft, Ransomeware and Forces of nature

Document in detail the results of a risk assessment for the three identified risks including reasons justifying it as being significant, and risk assessment factors. For each of the identified risks propose potential mitigation and control measures, and what actions would appear in a risk control strategy plan to demonstrate confidence in the effectiveness of the suggested mitigation and control measures

Answer 1

Documentation of Risk Assessment:

We have performed the Risk assessment for the Information Assets of a Small and Medium Enterprise , XYZ company, and the summary of the findings are detailed below:

1. Data Theft Risk:

Findings	Severity of Risk	Potential Impact and Mitiagation
Access to Accounting Databases was open to modify to “all users” without limitation of access based on level of usage, and requirement.	High	Brings in to question the reliability of accounting information, and the reports generated based on the said reports, and based on sample tests : Could result in and Adverse opinion on the Financial Statements. Mitigation: The enterprise to immediately curtail access, and revisit user based access controls be granted , based on usage and requirement.
Physical access controls for the Server room were inadequate. It was observed that the data room was accessible by the staff, without monitoring.	High	Potential impact could be theft, unauthorized changes. Needs immediate management action. Mitigation : To remain locked at all times, with only authorized IT personnel to have access to keys. Log book to be maintained on time of access , and purpose, with signature of the personal accessing. CCTV to be installed to monitor access.

2. Ransomware Risk:

Findings	Severity of Risk	Potential Impact and Mitigation
The verification of the data storage protocol showed that there was no cloud based back-up being made.	Moderate	Though the enterprise is regularly making data back-up physically, an additional level of cloud-storage would be recommended.
Not all systems connected to the Enterprise network contained Anti-virus protection.	High	Needs to be immediately rectified since this could potentially compromise the security of the server. Action: Install Anti virus in all systems.

3. Threat of Nature :

Findings	Severity of Risk	Potential Impact and Mitigation
Not everyone at the enterprise was aware of safety passages, to use in the untimely event of fires. Unaware of the presence and method to use fire extinguishers.	High	Without proper training , there is a high potential for unforeseen events. Fire drills be made mandatory, and data centres to have specified personnel to immediately put out any such risks, and continually monitor , to prevent events that cause such risk.
No Secondary location having data back-up	High	The risk of physical loss of data, could result in loss of Critical enterprise data, resulting in massive loss of resources and time in recouping the same. The enterprise to immediately have a backup location, which would have the enterprise data updated on a daily basis in the secondary server.