Conducting Risk Assessment and Analysis
Risk assessment can be as simple as noting an unlocked door or a password written on a note, or it can be a complex process requiring several team members and months to complete. A large enterprise environment probably has multiple locations, diverse activities, and a wide array of resources to evaluate. You don't need such a complex network, however, for your lab project; the main idea is to learn how to apply your knowledge in a methodical fashion to produce useful and accurate data. Approaching a task such as risk assessment without a strategy means repeating steps, wasting resources, and achieving mediocre results at best. Even worse, you might miss critical information.
You need the network (FILE ATTACHED) and facility (FILE ATTACHED) diagrams used in Unit 1 for this project.
You will also need:
* Business Process Identification Worksheet (FILE ATTACHED)
* Asset Identification Worksheet(FILE ATTACHED)
* Threat Identification and Assessment Worksheet (FILE ATTACHED)
* Threat Mitigation Worksheet (FILE ATTACHED)
* Some imagination
In a real risk analysis process, one of the first steps is meeting with all department managers, upper management, employee representatives, workers in the production environment, human resources staff, and other staff members to get their input. Without input from the people actually doing the work, you might not think of essential factors. That isn't possible here, so direct any problems you have to your instructor, or do independent research to find your answers.
Remember: threats can affect multiple assets and vice versa, so the same asset might be listed more than once.
Task
1. First, identify the business processes that must continue for the organization to keep functioning - for ex, collecting money from customers, receiving and processing sales, developing new products, and so on. Document major business processes that drive LedGrafix, using the Business Process column of the Business Process Identification Worksheet. (You need your imagination and some common sense for this step.) Assign a priority level to each process (using the priority rankings in the following list). prepare down the department that performs the process, and leave the Assets Used column blank for now.
* Critical - Absolutely necessary for business operations to continue. Loss of a critical process halts business activities.
* Necessary - Contributes to smooth, efficient operations. Loss of a necessary process doesn't halt business operations but degrades working conditions, slows production, or contributes to errors.
* Desirable - Contributes to enhanced performance and productivity and helps create a more comfortable working environment, but loss of a desirable process doesn't halt or negatively affect operations.
Save your file as U2_BusProcess.doc. You will be updating this file later in this lab.
2. Next, identify the organization's assets. Using the Asset Identification Worksheet, list each asset, its location, and approximate value, if known. (For multiple identical assets, describe the asset and list the quantity instead of listing each individual asset.) In organization-wide risk assessments, you would list all assets, including office furniture, industrial equipment, personnel, and other assets. For this project, stick to information technology assets, such as computers, servers, and networking equipment. The information you enter depends on the network design from Unit1. All the equipment needed to build your network should be listed here as well as any cabling in the facility. (Assume the facility is already wired for a computer network with network drops available for each computer.) Hint: Remember to list items such as electricity, and your Internet connection.
Save your file as U2_AssetID.doc. You will be updating this file later in this lab.
3. Now, determine which assets support each business process. Update your Business Process Identification Worksheet, and list the assets needed for each business process in the Assets Used column. Save the file.
4. Each process should be documented and have a priority assigned to it. Next, transfer the priority rankings and update your Asset Identification Worksheet. Now you know which assets are the most critical to restore and warrant the most expense and effort to secure. You also have the documentation to back up your security actions for each item. Save the file.
5. The final step is assessing existing threats. Table 2-6 (below) gives exs of ways to evaluate some types of threats and suggests ways to quantify them. On the Threat Identification and Assessment Worksheet, list each possible threat. Be sure to consider threats from geographic and physical factors, personnel, malicious attack or sabotage, and accidents. Also, examine the facility diagram for flaws in the facility layout or structure that could pose a threat, such as air-conditioning failure or loss of electrical service. Assess the probability of occurrence (POC) on a 1 to 10 scale, with 1 being the lowest and 10 the highest, and assign those ratings in the POC column for each threat.
Save your file as Threats.doc. You will be updating this file later in this lab.
Threat Evaluation Image
6. Using your updates to Asset Identification Worksheet, determine which assets would be affected by each threat. List those assets in the Assets Affected column of the Threat Identification and Assessment Worksheet. For an electrical outage, for ex, list all assets requiring electricity to operate; for a hardware failure, list all assets a hardware failure would disrupt, damage, or destroy. Save the file.
7. In the Consequence column of the Threat Identification Worksheet enter the consequences of the threat occurring, using the following designations:
* Catastrophic (C) - Total loss of business processes or functions for one week or more. Potential complete failure of business.
* Severe (S) - Business would be unable to continue functioning for 24 to 48 hours. Loss of revenue, damage to reputation or confidence, reduction of productivity, and/or complete loss of critical data or systems.
* Moderate (M) - Business could continue after an interruption of no more than 4 hours. Some loss of productivity and damage or destruction of important information or systems.
* Insignificant (I) - Business could continue functioning without interruption. Some cost incurred for repairs or recovery. Minor equipment or facility damage. Minor productivity loss and little or no loss of important data.
8. Continue to update your Threat Identification Worksheet, and rate the severity of each threat in the Severity column, using the same designations as in the preceding list for consequences (C, S, M, or I). You derive these ratings by combining the probability of occurrence, the asset's priority ranking, and the potential consequences of a threat occurring. For ex, if an asset has a Critical (C) priority ranking and a Catastrophic (C) consequence rating, it has a Catastrophic (C) severity rating. If you have mixed or contradictory ratings, you need to re-evaluate the asset and use common sense. A terrorist attack that destroys the facility and kills half the staff might have a probability of occurrence (POC) of only 1 (depending on your location), but if it happened, the consequences would definitely be catastrophic. Even so, because of the low POC, you wouldn't necessarily rank its severity as catastrophic. Save the file.
9. Finally, on the Threat Mitigation Worksheet, list assets that are ranked as the most critical and threatened with the highest severity. In the Mitigation Techniques column, list recommendations for mitigating threats to those assets. For ex, to mitigate the threat of an electrical outage damaging a critical server, you might suggest a high-end uninterruptible power supply (UPS). Save your file as ThreatMitigation.doc