CIS4003 SOLUTION

Table of Contents
Introduction to the Case......................................................................................................................................2
The Company......................................................................................................................................................2
Information technology department....................................................................................................................2
RISK DETERMINATION PHASE.....................................................................................................................3
Assets and owners...........................................................................................................................................3
Asset Value.....................................................................................................................................................4
Identify threats to Assets and their Likelihood................................................................................................5
Identify Vulnerabilities and the Likelihood of their Exploitation by the Identified threats..............................6
Describe Risks to the Assets based on Points (1, 2, 3).....................................................................................7
Evaluate Risk based on Point (5).....................................................................................................................7
SAFEGUARD DETERMINATION PHASE..................................................................................................7
Define the recommended Controls and Safeguards based on the 20 critical security controls.....................7
Determine the residual likelihood of occurrence if control and safeguard are implemented........................8
Determine residual severity of impact if candidate control and safeguard are implemented.......................9
Determine residual risk levels.....................................................................................................................9
References.........................................................................................................................................................10
PROJECT REQUIREMENTS
Introduction to the Case
Risk Management in IT is the key aspect of the business process of Smart Solutions Company, and its
major purpose is to manage risks in a commercial firm. The risk management conducted on a
business might potentially handle the aggregate data as well as ensure efficiency and efficient
operations of the corporation. This study targets at supporting the firm in analyzing the degree of
acceptance and also the general security demands. The company might move on to advance processes
for monitoring and deployment to solve and also lessen the danger levels in the firm. The aftermath
of this examination is the reconnoitering the organization level by analyzing the structure and
management of the corporation. Several factors will be discussed concerning selection,
administration, as well as the employment of IT services. These include of; service provider
credentials, expertise, operational needs, service organization, and the trustworthiness of the supplier.

The Company
As a notable organization, Smart Solutions provides a wide range of commercial strategic units, such
as retail, manufacturing, tourism and commerce with coherent ICT services. Profits for the company
are generated via the development and maintenance of various tools. It also produces procurement
and supply chain management technologies that benefit other firms in their commercial activities by
facilitating speed and efficiency. Despite the fact that the firm has 600 employees and many locations
all throughout the nation, the database servers are kept on-site at the main office. The company's
business strategy is based on automated interactions with key suppliers and customers. The Microsoft
Azure cloud platform is used by Smart Solutions Co. to handle internal and external transactions and
communications. A total of 25 internal apps and 250 external trade partners are linked to the
company. Processing capacity is expected to reach 1.8 million documents per week by 2021, up from
the present 1.3 million.

Information technology department

Data centers, network infrastructures, software, Application servers, and equipment are all managed
by the Information Technology Department. In addition, they ensure that the company's information
technology infrastructure is up and running smoothly. Information systems security, update, training
on application use, and system maintenance are all included in this service. The corporation uses the
Firewall to safeguard the data center from illegal access inside the company's network, and it
regulates all traffic entering and exiting the data center.
The security team has set up firewalls to allow data to flow freely from any point in the network,
regardless of its origin or destination. Additionally, the firewall's settings may be updated through an
HTTP connection. The Firewall is left to handle everything. The business relies heavily on email
contact with its customers for transaction processing, thus it wishes to protect its email service from
assault. Additionally, the corporation allows its employees to store corporate data in the cloud, and
VPN connections provide remote access to the Web Server (Orcutt 2018). In order to safeguard all of
the company's crucial data, the firm has implemented a backup procedure. However, since it is costly
in terms of both time and money, no routine testing is performed at this time. A company's Firewall
must be kept up to date for the sake of data security, which is especially important in the computer
industry. Incoming and outgoing traffic is monitored and controlled by a firewall according to
specified security rules (Whitman & Mattord 2011). The Internet, for example, is usually kept apart
from a trusted internal network by such a firewall.

RISK DETERMINATION PHASE

Assets and owners
Based on the needs of customers, the company structure and the technician in charge will determine
the appropriate scope of security. It is the company's desire to fix present problems as quickly as
possible for the sake of the industry's future safety.
Microsoft Azure servers, Domain Controllers, Database Servers, Exchange Servers, Print Servers,
Engine Server Implementation, Routers and Switches, Data Centers, Firewalls, and Internal and
External Applications are all part of the company's IT infrastructure, according to the report.
Asset Owners
IT pertains to everyone who has a hand in the money being invested and the resources being used.
The owners of the company's assets should vote on the relevance of the construction property by
declaring their preference for regular security measures.
Asset Owners

Building CEO

Domain Controllers CIO

Application Server Mgr. application

Database Server CIO

Exchange Server Mgr. system

Print Server Mgr. system

Engine Server implementation Mgr. networking

Routers and switches Mgr. networking

Datacenter CIO

Internal and external Mgr. application

applications
Firewalls Mgr. networking

Client computers Costumers

Asset Value
Identify threats to Assets and their Likelihood
It's a good idea to categories key resources. An investigation of how a danger grows over time should
be tough. Denial of service assault, surveillance, and data vulnerability are among the threats that
might emerge. Here are some recent occurrences that have been documented in the media during the
last several months.
 500 customers' accounts were compromised in an attack on the company's internal
network, according to a call notice. Employee PCs were reportedly the target of a
cross-site scripting assault.
 Social engineering, malware, key loggers, or Trojans were used to gain access to a
senior management e-mail account.
 In the middle of the day, when most transactions were taking place, one of the
Microsoft Azure servers failed to react. Even though there is an automated system
in place to take over if one of the servers fails, it didn't work out that way. In the
course of an investigation, a network team member discovered that the network
fault was not responsible for forcing the redundant server to take over. His inability
to address the problem quickly led to a large number of failed transactions and a
corresponding loss of income.
 Linux-based systems are maintained by a security team using Windows. The
company's internal network was infected by malware.
 One of our employees detected some unusual activity on a server and alerted
management.
  A problem had been discovered, and the security team convened a meeting to
discuss it. The gathering drew around 30 people, which caused a great deal of
chaos.
 An internal audit showed that the security team utilized a wireless connection to
handle various devices such as firewalls and intrusion detection systems.
 In the workplace, a person wandering about who did not seem to be an employee
or a partner vendor engineer or support was seen by the company's security officer.
The company's safety and security is a top priority for the leadership. They are
concerned about privacy, identity theft, social engineering, and the actual theft of
any electronic item.
Threat Likelihood
Hacker Attack High
Loss of data from virus infection. High
Lack of encryption. low
Exposure is a threat action whereby sensitive High
data is directly released to an unauthorized
entity.
E-mail Spoofing. High
Espionage on the company. High
DoS attacks. Low
servers failed Moderate

Identify Vulnerabilities and the Likelihood of their Exploitation by the Identified

threats.
Risks flaws and asset features are used in the evaluation of IT security risk.
Risk assessment is done using the results of hazard weakness and asset attributes. Control software
and information series vulnerabilities must be introduced to enable further investigation into their
impact on other network software, equipment, and components.
Threat Vulnerability Likelihood

Hacker A weak password, Missing protection High

Attack on
Firewall, no security in the web app.
servers No updating server Moderate
 failed
Virus, No anti-Virus, No Firewall High
Malware
Lack of Remiss employees using encrypted USB Low
encryption.
Espionage on the The company don't have a VoIP system, so they can't High
company. record the official calls and protect against any espionage.

Describe Risks to the Assets based on Points (1, 2, 3)

There are a number of dangers that the company may face. This is due to a lack of security expertise
in the IT department. If security isn't adequately incorporated into the systems, they might fail due to
poor upkeep or be breached both internally and externally by an attack that occurs in the middle of a
transaction (Kelchner, 2020). In addition, the client, system, and network infrastructure may be
utilized as weapons if accessed by hackers. An internal system assault, virus download, or data
erasure are all possibilities for customers who could constitute a security risk. Risks may include
database destruction, PC damage that results in information loss, hackers, and malfunctioning servers
as a consequence of the company's data center diagram (Saleh, & Alfantookh 2011). For example,
hackers may try to breach the Firewall or even deliver malware from personal computers or the
Microsoft Azure servers, putting the company's employees at danger and leaving them unable to stop
the attack in progress.

Evaluate Risk based on Point (5)

The dangers and security difficulties of the company are referred to as "risks," which include both
hardware and software. When data is being gathered by data servers, web servers must be protected
(Citu, 2017). The firm's technological and financial characteristics may be used to access these
dangers. The focus should be on the usefulness of WAN and LAN connections, as there is a firewall
mechanism in place. All activities and confidential information are sent in a secure row.

SAFEGUARD DETERMINATION PHASE

Define the recommended Controls and Safeguards based on the 20 critical security controls.
Code of practice on information security controls is ISO 27002 - SO/IEC 27002, an information
security standard established by the International Organization for Standardization and the
International Electrotechnical Commission (IEC). In order to ensure that those in charge of creating,
implementing, and maintaining information security management systems (ISMS) adhere to industry
best practices, it provides punishments for such parties (Evans 2016). Standards for information
security are stated in terms of the C-I-A trio: confidentiality, integrity, and availability.
COBIT – This is a typical method for achieving information and technology security goals.
ISACAGM (the Information System Audit and Control Association for IT Governance and
Management) has developed a framework that bridges the important gap between technological
problems, business risks, and control requirements, and this framework may be used (Travis 2018).
The most important feature of any modern business is quality assurance and control, both of which
are made possible by the dependability that COBIT provides for an organization's information
system.
Determine the residual likelihood of occurrence if control and safeguard are implemented.
Following the application of risk controls, the residual Risk is the amount of Risk or hazard that
remains following an action or occurrence. Remaining profits and risk are held by shareholders under
the property rights paradigm.
Residual risk is defined as "the risk that remains after risk treatment" by ISO 27002. The way it
works is as follows: To begin mitigating the risks that we deem unacceptable; we must first identify
the hazards. Because you can't completely remove all of the hazards, some will remain at a certain
level, and these are known as "residual risks" (Contributor, 2014). The company needs to know
whether the recovery plan is sufficient. The approach and scales of evaluation used to evaluate
residual hazards are often the same as those used to evaluate the original risks. The sole change is to
take into account the effect of controls and other mitigation strategies. There is thus less chance of an
event occurring, and the effect may even be reduced in certain cases.
Control Measures / Recommended Safeguard Description:
It is recommended that the organization build an automated event log monitoring solution to boost
Web Server security. Installing a sophisticated encryption system to safeguard the privacy and
integrity of user-specific electronically exchanged data and communications. Also, defend yourself
against spoofing by encrypting your email and server connections. In addition, anti-virus software
must be installed (Schou-Zibell, 2018). Employees should be taught how to use e-mail safely, how to
browse the web safely, and how to manage their passwords. The server will be updated on a regular
basis. To avoid being spied on, use a VoIP system and record any official phone conversations.
Threat Likelihood
Hacker Attack Moderate
Loss of data from virus infection. Low
Lack of encryption. Negligible
 Exposure is a threat action whereby sensitive Low
data is directly released to an unauthorized
entity.

E-mail Spoofing. Moderate

Espionage on the company. Low
DDoS attacks. Negligible
Determine residual severity of impact if candidate control and safeguard are implemented.
When classifying integrity, confidentiality, and availability, the chance of a threat occurring is
examined, as well as the effect severity, to determine the residual severity (Peltier, 2016). As a result,
ISO 27002 will be implemented, which will lessen the effect and eliminate the risk.
Threat Severity
Hacker Attack High
Loss of data from virus infection. Low
Lack of encryption. Low
Exposure is a threat action whereby sensitive Low
data is directly released to an unauthorized
entity.
E-mail Spoofing. Moderate
Espionage on the company. Low
DDoS attacks. Low
servers failed Low
Determine residual risk levels.
There are a lot of dangers involved in an industrial process or investment, and the organization took
into account all of them. It eliminates, accepts, or mitigates all of the practice's known dangers.
Unknown or residual hazards may be the reason of risk lingering in operation. Using the analysis of
residual risk, managers can quantify where and how much effort is needed to reduce critical risk –
and where they may go overboard in their efforts, resulting in wasted time, money, and resources
(Ruan, 2017). The bigger the residual risk, the greater the likelihood that interference will have a
greater influence on the outcome.
Risk levels
Likelihood of Impact severity
occurrence

Insignificant Minor Significant damaging Serious Critical

Negligible low Low Low Low low low

Very low Low low low Low low Moderate

Low Low Low Moderate Moderate moderate high

Medium low Low Moderate High High high

High Low Moderate High High High High

Very high Low Moderate High High High high

Extreme Low moderate High High High High

References
 Ruan, K. (2017). Introducing cybernomics: A unifying economic framework for
measuring cyber Risk. Computers & Security, 65, 77-89.
 Travis Smith, AUG 22, 2018.Center for Internet Security (CIS) Controls: Your
Complete Guide of the Top 20. www.tripwire.com
 Mike Orcutt, April 25, 2018. How secure is blockchain? It turns out "secure" is a
funny word to pin down. https://www.technologyreview.com/2018/04/25/143246/how-
secure-is- blockchain-really/
 Saleh, M. S., & Alfantookh, A. (2011). A new comprehensive framework for
enterprise information security risk management. Applied computing and
informatics, 9(2), 107- 118.
 Whitman, M. E., & Mattord, H. J. (2011). Principles of information security.
Cengage Learning.
 Citu, A. (2017). Adventures in the programming jungle.Secure software concepts;
General Security Concepts. https://adriancitu.com/tag/risk-management/
 Contributor, J. M. (2014). Five steps to determine residual Risk during the
assessment process: https://searchcompliance.techtarget.com/tip/Five-steps-to-
 determine-residual-risk-during- the-assessment-process
 Evans, L. (2016). Protecting information assets using ISO/IEC security standards.
Information Management, 50(6), 28.
 Kelchner, Luanne. (2020, April 8). What Are the Duties of an IT Department?.
www.Careertrend.com. Retrieved from https://careertrend.com/13374589/what-are-
the- duties-of-an-it-department
 Lotte Schou-Zibell, N. P. (2018, April). How secure is blockchain? Retrieved from
World economic forum: Retrieved from
https://www.weforum.org/agenda/2018/04/how-secure- is-blockchain/
 Peltier, T. R. (2016). Information Security Policies, Procedures, and Standards:
guidelines for effective information security management. CRC Press.