Scribd Logo
Upload

Welcome to Scribd!

  • Risk Management HW

    Uploaded by

    Maggie Trimpin
    225 views7 pages

    Original Title

    Risk management HW .docx

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Read this document in other languages

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    225 views7 pages

    Risk Management HW

    Uploaded by

    Maggie Trimpin

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 7

    Risk management HW

    Part 1 – Asset Identification, fill out Table A.


    1. Identify assets at your university, including at least one in each (people, data, procedures,
    etc.).
    2. For each asset, list whether it is critical, high, medium, or low (C,H,M,L).
    3. Asset valuation – Determine the numeric value (1-10) of identified assets. Use personal
    judgment. Keep mission of the enterprise in mind

    Asset Value Asset Analysis: Valuation Elements to Consider:


    Critical- compromise to assets 10 ● Cost of Producing the Asset
    would have grave consequences ● Value of the Information/Service on the Open Market
    leading to loss of life, serious ● Cost of Reproducing the Asset if Destroyed
    injury, or mission failure ● Benefit the Asset Brings to the university in Meeting the
    High – compromise to assets 7-9 Mission and Supporting Student Learning
    would have serious consequences ● Repercussion to the University if the Information and
    that could impair operations for a Services were not Readily Available
    significant period of time ● Advantage Given to Someone if They Could Use, Change,
    or Destroy the Asset
    Medium - compromise to assets 5-6
    ● Cost if Information is Released, Altered, or Destroyed
    would have moderate
    (Litigation)
    consequences that could impair ● Loss of Administration, Teacher, Student, Parent, and
    operations for a limited period of Community Confidence if Information is not Held &
    time Processed Securely
    Low - compromise to assets 1-3 ● Loss of General Credibility & Embarrassment
    would have little or no impact on
    the continuation of operations

    Table A.
    ASSET C,H,M,L Asset Value
    1-10
    people Kim Schatzel H 8
    Students C 10
    Data and Student Records (Loans, Grades, etc) C 10
    information

    procedures Daily emails/ announcements L 3

    software Blackboard M 5
    Peoplesoft H 7
    hardware University Computers C 10
    Lab equipment H 7
    Part 2 – Threat Identification, fill out table B
    1. List and identify 5 threats, examples:
    ● Act of human error or failure
    ● Compromise of intellectual property
    ● Deliberate acts of espionage
    ● Deliberate acts of information extortion
    ● Sabotage, vandalism, theft
    ● Software attacks
    ● Forces of nature
    ● Technical hardware failures
    ● Software failures
    ● Technological obsolescence
    2. Rating - for each threat, list whether it is critical, high, medium, or low. The threat rating is a
    subjective judgment based on existence, capability, history, intention, and targeting.
    3. Threat valuation – Determine the numeric rating of each threat. Use personal judgment. Keep
    mission of the entity in mind

    Threat Rating
    Critical- Known aggressors or hazards, highly capable of causing loss or damage 10
    exist. One or more vulnerabilities are present. The threat source is known to having
    intent and means.
    High – Known aggressors or hazards, capable of causing loss or damage to the 7-9
    school exist. One or more vulnerabilities are present and the aggressors are known
    or reasonably suspected having intent and means.
    Medium - Known aggressors or hazards that may be capable of causing loss or 5-6
    damage exist. One or more vulnerabilities may be present; however, the aggressors
    are not believed to have intent.
    Low - Few or no aggressors or hazards exist. Their capability of causing damage is 1-3
    doubtful.

    Table B.
    THREAT C,H,M,L Threat Rating
    1-10
    1 Someone steals a faculty onecard and gains access to all H 9
    buildings and rooms
    2 Someone hacks into PeopleSoft and gains the ability to H 8
    change or delete students’ grades
    3 A rival school commits a DoS attack on Blackboard, making M 6
    teachers unable to host online lectures
    4 A hacker gains access to the financial aid office computer and C 10
    erases student loan data
    5 A powerful storm destroys one or more of the academic C 10
    buildings on campus
    Part 3 – Vulnerability Identification, fill out table C
    1. List and identify vulnerabilities, examples:
    ● Human
    ● Operational – insufficient security procedures
    ● Informational vulnerabilities
    ● Facility – weak physical location and geographical
    ● Equipment
    2. Rating- for each vulnerability, list whether it is critical, high, medium, or low. The
    vulnerability rating is a subjective judgment based on existence, capability, history,
    intention, and targeting.
    3. Vulnerability valuation – Determine the numeric rating of each vulnerability. Use
    personal judgment. Keep mission of the entity in mind

    Vulnerability Rating
    Critical- no known countermeasures and adversary capability 10
    exists
    High – no known countermeasures and adversary capability 7-9
    exists
    Medium - there are effective countermeasures in place, but 5-6
    adversaries can exploit a weakness
    Low - multiple levels of countermeasures exist and few or no 1-3
    adversaries could exploit the asset

    Table C.
    Vulnerability C,H,M,L Vulnerability Rating
    1-10
    1 Human Error- susceptible to social engineering to gain M 5
    access to student accounts
    2 Backdoors to University systems M 5
    3 Open campus/ unlimited access to academic buildings H 7
    4 Human error- onecard theft can allow access to meal plans, M 5
    dorms, etc.
    5 Weak passwords to systems L 3
    Part 4 – Risk Assessment

    Risk = Asset Value x Threat Rating x Vulnerability Rating

    Risk Risk Rating


    >260 Critical
    141-260 High
    101-140 Medium
    1-100 Low

    Risk Assessment: Fill out the table below based on the asset, threat, and vulnerability
    assessment values calculated above. All italic values should be replaced with your own data.
    After completing, color code using the table above.

    Table D.
    Threat 1 Threat 2 Threat 3 Threat 4
    Data breach Natural disaster Identify theft Espionage
    Asset 1 Asset* Asset* Asset* Asset*
    Students threat* threat* threat* threat*
    vuln = 630 vuln = 250 vuln =90 vuln =90
    Asset Value 10
    Threat 9 5 3 3
    Rating
    Vulnerability 7 5 3 3
    Rating
    Asset 2 Asset* Asset* Asset* Asset*
    Student threat* threat* threat* threat*
    Records vuln = 360 vuln = 250 vuln = 120 vuln = 90
    Asset Value 10
    Threat 9 5 6 3
    Rating
    Vulnerability 4 5 2 3
    Rating
    Asset 3 Asset* Asset* Asset* Asset*
    Blackboard/ threat* threat* threat* threat*
    Peoplesoft vuln = 168 vuln = 24 vuln = 60 vuln = 24
    Asset Value 6
    Threat 7 4 5 2
    Rating
    Vulnerability 4 1 2 2
    Rating
    Asset 4 Asset* Asset* Asset* Asset*
    University threat* threat* threat* threat*
    Computers vuln = 200 vuln = 16 vuln = 432 vuln = 72
    Asset Value 8
    Threat 5 2 9 3
    Rating
    Vulnerability 5 1 6 3
    Rating
    Asset 5 Asset* Asset* Asset* Asset*
    Financial Aid threat* threat* threat* threat*
    records vuln = 630 vuln = 20 vuln = 360 vuln = 250
    Asset Value 10
    Rating
    Threat 9 2 9 5
    Rating
    Vulnerability 7 1 4 5
    Rating

    You might also like