READ Attachments:
Risk Assessment Assignment
You will be performing steps 1-3 for this assignment for the scenario that follows.
Grading:
For this assignment, you may want to reflect on two facets from our course thus far: (1)
the risk assessment worksheet and activity, and (2) risk assessment methods and
criteria presented in your textbook and from the lectures (such as OCTAVE; for more
information see: http://www.cert.org/octave/). Like all qualitative assignments and case
studies, not all the information is going to be explicit. You have to make logical
inferences about things that are implied or implicit, and also weed out irrelevant
information and focus in on what the important issues are.
You might want to write a short section that states your assumptions at the beginning of
your paper. That will help me determine where you are coming from if I have question
about the path you went down. You will be judged on the quality and accuracy of the
risks in your assessment and how well you justify them. You will be required to pick a
risk assessment method presented in your textbook and use it as a framework or set of
criteria, and briefly explain the method/criteria chosen, and outline your risk assessment
according to it. There is no minimum or maximum length for the paper, but to do a good
job, as a point of reference, it would take me about 6 or 7 pages. Also, the format is up
to you (and the risk method you choose).
Scenario – Risk Assessment
The Case of the Becoming Company
The Company Mission Statement
“Conscious life means the return of cosmic being as
human becoming. Spirit appears in time as a product-even
as a by-product of nature, yet it is in spirit that nature in its
endless dynamic is timelessly enveloped.
And so, Man is always becoming” (Martin Buber).
Always becoming reflects Man’s inherent need to grow,
learn, and change. The Becoming Company provides a
full line of developmental resources that help drive one’s
becoming. We not only provide it, we live it.
Scenario
The Becoming Company is a full service provider for a line of developmental training
and inspirational materials including videos, music, and books called Drive Change.
The idea grew out Ann Roger’s personal interest after years of struggling against
generalized anxiety disorder and depression. Years of counseling and pharmacological
treatment had little effect on her outlook, until one day she read a research study on
biofeedback that described a therapy for changing thought patterns and habits which
ultimately leads to “rewiring” in the brain allowing new positive patterns of thought to
emerge and become habituated. Ann created her own therapy out of an eclectic
collection of materials –videos, music, dietary information, exercise programs, and
books, along with a schedule for her daily treatment and a mantra filled with affirmations
to use each time negative thoughts would intrude. Over time she mitigated her condition
and found fulfillment and happiness in her life. Ann decided to share her experience,
materials, and therapy with others. She incorporated as a Woman-Owned S-
Corporation, got a Small Business Administration (SBA) loan for $350,000 and opened a
shop with an office in her hometown of Burlington near Boston. Burlington is the location
of many high-technology companies and upper-middle class well-educated hardworking
and stressed-out people.
To run her business, she purchased a computer (she calls the back office computer) and
the necessary peripherals for faxing, printing and so on, and a Point of Sales computer.
She hired a staff of three people, Larry, Curly and Moe, to work the counter and cash
register, and handle various other tasks, including accessing the back office computer
when needed for things like creating invoices or letters to mail. Moe is the supervisor in
charge when Ann is not in the store. Moe has a Master’s degree in horticulture from
Northeastern University, but likes to tinker with computers. Larry and Curly like to tinker
too, and Curly sometimes uses the back office computer for surfing the Internet for
fishing gear and other such items. The following describes her systems and
configuration.
Ann purchased a Dell OptiPlex 390 computer (visit www.dell.com for more information)
for keeping the accounting books and records, such as sales transactions, and
performing basic office functions such as word processing and spreadsheets.
The software on this system consists of Microsoft Windows 7 professional edition with
the canned software including the Microsoft Office, along with an 8×5 support and
maintenance contract that allows her to upgrade her software at a reduced rate.
For accounting and keeping track of sales transactions, she uses a custom program
written by her nephew, Bob, who is a sophomore computer science student at Boston
University. The program is written in Microsoft Visual Basic .NET and uses Microsoft
Access as the database.
She stores her business records and invoices as plain files (e.g. text and Microsoft Word
documents) in various directories. She does not use an encrypted file system. She relies
on conventional firewall and virus scanner for security. For that, she uses the free
version of ZoneAlarm for a firewall, and the free version of AVG for virus scanning. She
also does backups to flash drives weekly, which she keeps at home in a desk drawer.
Ann uses the basic Windows login password for Administrator using her pet cat’s name,
“Fluffy”, as the password. Only she knows the administrator password. She has a user
account, called “Assistant” to enable her staff of three (Larry, Curly, and Moe) to login
and work on the computer to do basic things –use the Internet, create files, etc. The
system is connected to the Internet through a local service provider using a wireless
network connection. The wireless connection is Wired Equivalent Privacy (WEP)
encrypted, but she has chosen her store’s phone number as her WEP password.
For the storefront, Ann purchased a small Point of Sales (POS) computer from InitiaTek,
a company that specializes in POS computers and installation. The POS software runs
Windows 7 in the Microsoft Virtual PC virtual machine. The configuration of the POS
system consists of a self-contained cash drawer and sales register and tabulation and
transaction software, written in C#.NET. This system is networked over the wireless
network to the back office computer, also using WEP.
InitiaTek configured a software and network interface from the POS system tabulation
and transaction software to the custom accounting application running on the back office
computer so that when a transaction is “rung up” on the POS, it records it both in the
POS and simultaneously passes the sales transaction to the accounting application,
which records it in the Microsoft Access database.
Instructions:
Choose a method for risk assessment, and then conduct an assessment of the
security described in the previous scenario. To do this, you will complete an
assessment of assets (Step 1). For step 1, you have to identify what hardware and
software is in place. Make note also of what information is kept on the systems, and
classify the according to sensitivity or confidentiality.
Next, assess the vulnerability of these assets as best you can (Step 2). This
requires you to try to determine how vulnerable these assets are; for example, how is
access to systems controlled? Write a brief description of the vulnerabilities.
Then, you will try to assess the probability and severity of damage that could
occur (Step 3). In addition to the descriptive sentences, I usually like to create a
matrix for this that would show the probability of a risk (e.g. what is the probability
that the risk exists AND that it will be exploited –a subjective measure that I try to
quantify) and the severity of the risk if it exists.
Finally, write up an assessment of the risk. At this point, you are only interested in
the risks, NOT in the security measures you would implement to resolve them (we
will get to that later).
So, your assignment should consist of:
1. A chosen method for risk assessment, explained and used.
2. List of assets
3. Risk/Vulnerability assessment statements (according to your chosen method)
4. A brief assessment of probability and severity of damage in the event of a
security incident
5. A write up of the assessment
Submit your assignment as a Word or PDF document. Your assignment will be judged:
50% for method properly used, 50% for write up (accuracy and professionalism of the
product).