Risk Assessment Findings Report
Instructions: Number 4 “Conduct the assessment”
Risk Assessment Findings Report
Risk Assessment Findings Report
Introduction
In any organization that carries out a risk assessment, the findings must be communicated to the relevant bodies for proper and appropriate extenuation activities to be taken. The sole drive of steering the assessment was to evaluate the security status of the organization and provide suitable levels of safety and security for its information system (Stoneburner, Goguen, & Feringa, 2002). This paper discloses the report on findings of the assessment of activities that were carried out on the information system of BRI (Bureau if Research and Intelligence). It will document the outline of the recognized threat causes, vulnerabilities, prospects of security breach happening, magnitude of the impact and the risks exposed by the identified threats on the information system of the organization (Wright, 2011).
Threat Sources and Events
The assessment team was able to use appropriate tools and mechanisms that were able to identify susceptibility sources and events of threats. It is evident that sources of such threats were found to be caused by human errors and system faults (Pfleeger & Pfleeger, 2002). The tabulation below illustrates the sources of threat and the corresponding action on the threat.
| Sources of Threats | Actions of Corresponding Threats |
| System Faults | Workers were able to access clients’ confidential information without authorization. Employees were able to have excessive privileges due to system bugs |
| Hackers (It was evident that nation-state-initiated hackers hacked the system) | System interruption.Unauthorized access to the network of the agencyHackers were able to access confidential informationCreated room for social engineering |
| Insiders (they originated from terminated employees, negligence among workers, and dishonest employees and malicious software) | Stolen laptops from a teleworker led to the loss of confidential information.Some employees started using personalized emails for official tenacities. Those terminated by the agency were able to access the system without authorization.Resentful employees disclosed valuable and confidential information.Software that was malicious affected the system by slowing it down |
| Computer crimes (Hsiao, Kerr, & Madnick, 2014) | Employees experience identity theft.Hoaxing System interruption and invasions. |
Vulnerabilities and Predisposing Conditions
Findings suggest that vulnerabilities were associated with authentication and credentials controls, system security, data security, end user security as well as physical security. The table below shows potential vulnerabilities in the findings.
| Vulnerability Type | Explanation |
| Disaster Recovery | The data center manager has a recovery plan in case of a network shutdown or failure by hackers. The data manager has to keep it secret from other people. |
| Password Security Strength | Passwords did not have an expiry date, and they were customized to eight characters. Also, the password was the only gateway to the accessing the system, therefore, rendered the system vulnerable to any form of security attack. |
| Approval and Authorization Controls | The system provides the workers or users disproportionate and unlimited privileges. At least twenty employees accounts are active at any given time. |
| Encryption Integrity Checks | The BRI system did not have data encryption for transit and stored data. The system granted workers access to classified databases. Additionally, the agency did not carry out any form of background check on its employees. |
| Poor Documentation | All the processes did not receive any proper documentation as they remained in the system manager’s mind. |
| Lack of system usage and directives | Most of the system users in the agency were permissible to use public clouds and social media apps such as Twitter and Facebook deprived of the company network. Additionally, BRI did not have a policy that regulated the handling of classified information. |
| Corporeal security controls | Unauthorized personnel and persons were allowed to gain access to the secure data center after dogging any official worker. Additionally, the agency was not able to identify workers who were dismissed. |
Likelihood of Occurrence
According to (den Braber, Hogganvik, Lund, Stølen, & Vraalsen, 2007), likelihood of any threat is calculated by the following equation.
RISK = LIKELIHOOD OF THE THREAT X MAGNITUDE OF IMPACT
Such a model categorized likelihood as either high, medium or low contingent of the effect initiated by the source of the threat. There are weight factors in that fully defines each category of likelihood. First, High likelihood has a weight factor of 1. 0. 1.0 factor explains that the likelihood of a threat is high if the source of the threat is highly motivated and initiatives geared upon preventing such vulnerabilities are likely to be unsuccessful or ineffective. Secondly, Medium likelihood has a weight factor of 0.5. It explains that the source of the threat is motivated and capable but the controls to prevent them may hinder effective exercise of the vulnerability. Lastly, a low likelihood, weighted as 0.1, suggests that a source of threat lacks capability and control and the controls put in place to curb or at least meaningfully impede, the susceptibility from being exercised.
Magnitude of Impact
| Impact on the subject (Score) | Definition |
| High (100) | High impact is evident in the agency as they have a catastrophic adversative effect on the operations, data, and access. These include unauthorized access, the absence of integrity, confidentiality and making the system available to each and every worker anytime can cause financial loss, mutilation to assets and loss of cloistered information. |
| Medium (50) | Vulnerability issues that can lead to serious effects on the operations of the company especially when data and other assets are accessed illegally. This will lead to assets damage, significant information loss and consequently financial loss. |
| Low (10) | Unsanctioned access, lack of integrity and system availability is expected to impact the agency limitedly on its operations, data, and assets. |
Risk calculation
Using the above computations, an estimate of the risk is tabled below.
| Likelihood of a threat Score | Impact is causes | ||
| Low (10) | Medium (50) | High (100) | |
| High (1.0) | Low Risk (10 × 1.0 = 10) | Medium Risk (50 × 1.0 = 50) | High Risk (100 × 1.0 =100) |
| Medium (0.5) | Low Risk (10 × 0.5 = 5) | Medium Risk (50 × 0.5 =25) | Medium Risk (100 × 0.5 =50) |
| Low (0.1) | Low Risk (10 × 0.1 =1) | Low Risk (50 × 0.1 = 5) | Low Risk (100 × 0.1 = 10) |
Conclusion
The assessment came up with
dedications that the BRI information system was experiencing considerable security faults that need
rectification. Also, there is a dire need for the agency to complete
structuring of the security policy to focus on minimizing the threat that is documented in this paper.
References
den Braber, F., Hogganvik, I., Lund, M. S., Stølen, K., & Vraalsen, F. (2007). Model-Based Security Analysis in Seven Steps— A Guided Tour to the CORAS Method. BT Technology Journal, 25(1), 101-117.
Hsiao, D. K., Kerr, D. S., & Madnick, S. E. (2014). Computer Security. Cambridge, Massachusetts, United States of America: Academic Press.
Pfleeger, C. P., & Pfleeger, S. L. (2002). Security in Computing. New York: Prentice Hall Professional Technical Reference.
Pillai, D., & Andley, P. (2010). Information Security Threats. Compendium of Papers 2009-10, p. 58.
Stoneburner, G., Goguen, A. Y., & Feringa, A. (2002). Sp 800-30. Risk Management Guide for Information Technology Systems.
Wright, D. (2011). A Framework for the Ethical Impact Assessment of Information Technology. Ethics and Information Technology, 13(3), 199-226.