Scribd Logo
Upload

Welcome to Scribd!

  • Risk Case Study

    Uploaded by

    Jenelle
    46 views5 pages
    This document contains information about asset values, risks, and controls for a medical organization. It includes an asset value table listing assets such as cash, buildings, servers, and their direct and consequential losses. It also contains tables analyzing risks such as malware, natural disasters, and stolen equipment. The risk analysis includes annualized loss expectations and potential controls to mitigate risks along with their costs.

    Original Description:

    Risk Case Study

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document contains information about asset values, risks, and controls for a medical organization. It includes an asset value table listing assets such as cash, buildings, servers, and their direct and consequential losses. It also contains tables analyzing risks such as malware, natural disasters, and stolen equipment. The risk analysis includes annualized loss expectations and potential controls to mitigate risks along with their costs.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    46 views5 pages

    Risk Case Study

    Uploaded by

    Jenelle
    This document contains information about asset values, risks, and controls for a medical organization. It includes an asset value table listing assets such as cash, buildings, servers, and their direct and consequential losses. It also contains tables analyzing risks such as malware, natural disasters, and stolen equipment. The risk analysis includes annualized loss expectations and potential controls to mitigate risks along with their costs.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 5

    Asset Value Table

    Asset Name $ Value $ Value Confidentiality, Integrity,


    and Availability Notes
    Direct Loss: Consequential
    Replacement Financial Loss
    Cash $500,000 1D=$4,500 Confidentiality

    Office Building $250,000 1D=$4,500 Availability, Integrity

    Server $10,000 NL = $500,000 Availability,


    L = $1,000,000 Confidentiality
    Medical Database System $10,000 NL = $500,000 Confidentiality
    L = $1,000,000
    Laptops $2,000 Availability,
    Confidentiality
    4 Workstations/PC’s $1,400 Integrity
    Textbooks $3,000 Availability
    Medical Equipment/Furniture $60,000 Integrity
    Medical Supplies $5,000 Integrity

    You may include notes about the Consequential Financial Loss below:
    Consequential Financial Loss Calculations
    Consequential Financial Loss Total Loss Calculations or Notes
    Lost business for one day (1D) $4,500

    Privacy breach notification $500,000 Up to 1 year in prison


    liability (NL)
    Lawsuit (L) $1,000,000

    Page 1 - Unit 2 Case Study Workbook


    Analyzing Risk
    Vulnerability Assessment Quadrant Map

    Slow Down Business Temp. Shut Down Business Threaten Business


    1 week
    Threat
    (Probability)

    Loss of Electricity

    1 year
    Stolen Laptop
    Snow Emergency

    5 years
    Flood Malware Hacker/Criminal
    (.2)

    10 years
    Intruder Stolen Backup Tape(s) Vulnerability
    (.1)
    (Severity)
    Pandemic Social Engineering

    20 years Tornado/Wind Storm


    (.05)

    Fire

    50 years
    (.02)

    Quantitative Risk Loss Table


    Asset Threat Single Loss Annualized Rate Annual Loss
    Expectancy of Occurrence Expectancy
    (SLE) (ARO) (ALE)
    Server Malware $1,000,000 5 years @ .2 $200,000
    lawsuit
    Medical Database Malware $1,000,000 5 years @ .2 $200,000
    System lawsuit
    Textbooks/Medical Intruder $8,000 10 years @ .1 $800
    Supplies

    Page 2 - Unit 2 Case Study Workbook


    Analyzing Risk
    Building Tornado, $250,000 + 20 years @.05 $32,750
    Earthquake, $4,500/day for
    Flood, Fire 90 days =
    $405,000
    Total: $655,000
    Cash Intruder $500,000 10 years @ .1 $50,000
    Medical Natural Disaster $60,000 + 20 years @ .05 $6,750
    Equipment $4,500/day for
    30 days until
    new equipment
    arrives =
    $135,000
    Medical Supplies Intruder $5,000 + 10 years @ .1 $3,150
    $4500/day for 7
    days until new
    supplies arrive
    = $31,500
    Laptops Malware $1,000,000 5 years @ .2 $200,135
    lawsuit + $679
    (laptop
    replacement) =
    $1,000,679
    PC’s Malware $1,000,000 5 years @ .2 $200,070
    lawsuit + $350
    (PC
    replacement) =
    $1,000,350

    Analysis of Risk versus Controls


    Risk ALE or Score Control Cost of Control
    Malware $200,135 Server encryption, $2,447.98
    hardware firewall,
    backup system
    Intruder $50,000 Insurance on $14,099.99
    building,
    equipement, etc. of
    $12,500/year +

    Page 3 - Unit 2 Case Study Workbook


    Analyzing Risk
    Backup system of
    1599.99
    Natural Disaster $32,750 Insurance on $14,099.99
    building,
    equipement, etc. of
    $12,500/year +
    Backup system of
    1599.99
    Stolen Laptop $200,135 Hired security/alarm $35,899
    system for building
    @ $35,000/year +
    Server with
    encryption ($899)

    Note: For some prices, see next page. It is not necessary to do extensive pricing.

    Page 4 - Unit 2 Case Study Workbook


    Analyzing Risk
    Appendix
    Hardware & Software Price or Hours
    Laptop – Dell Inspiron 14 $6491
    Encrypted Disk $591
    Firewall/Antivirus software (for PC)
    Symantec Endpoint Protection Small Business Edition $200 for 5 users2

    Server with Encryption


    Dell PowerEdge 2970 Rack Server $8991
    RAID 3 disk system
    LaCie 4big Quadra – 4TB hard drive array $7494
    Battery backup
    APC BR1500 - Typical backup time at 200W is ~33 minutes3 $2493
    APC SMT2200 – Typical backup time at 200W is ~3 hours3 $8793
    Hardware Firewall or Router with Security options
    Multihomed – three regions
    Cisco 1841 Integrated Services Router $979.994
    WLAN – IEEE 802.11 WPA2 setup
    Cisco 2112 Wireless LAN Controller for Up to 12 Access Points $2903.994
    Cisco Aironet 1141 - wireless access point $684.994
    Backup System
    Dell 400/800 GB LTO-3 Internal Tape Drive $1599.991
    Dell LTO Ultrium 3 Tape Drives – 20 pack $568.991

    Services
    Hourly rate $100 - $150
    Virtual Private Network
    Installation and configuration 2 – 6 hours
    User training (per user) 30 mins – 1 hour
    WLAN
    Installation of 5 access point WLAN 7 hours

    This price list is actually taken from a number of sources, including:


    1. www.dell.com,
    2. www.symantec.com,
    3. www.apc.com,
    4. www.cdw.com

    *Adapted from Small Business Information Security Workbook, Aug. 20, 2012 – Version 3.0, Author: Susan Lincke PhD CISA

    Sources included:
     Richard Kissel, NISTIR 7621, “Small Business Information Security: The Fundamentals (Draft)”, National Institute of Standards and
    Technology, U.S. Dept. of Commerce, May 2009, http://csrc.nist.gov/publications/drafts/ir-7621/draft-nistir-7621.pdf.
     COBIT 4.1, IT Governance Institute, www.itgi.org.
     CISA Review Manual 2009. (Certified Information Systems Auditor) ISACA, www.isaca.org.

    Page 5 - Unit 2 Case Study Workbook


    Analyzing Risk

    You might also like