Case Projects 13-1 and 14-1 Case Project 13-1:  Conducting Risk Assessment and Analysis Risk assessment can be as simple as noting an unlocked door or a password written on a slip of paper, or it can be a complicated process that requires several team members and months to complete. A large enterprise environment probably has multiple locations, diverse activities, and a wide array of resources to evaluate. You do not need such a complicated network, however, to work through this case project. The main idea is to learn how to apply your knowledge in a methodical fashion to produce useful and accurate results. Approaching a task such as risk assessment without a strategy in place usually results in repeated steps, wasted resources, and mediocre results at best. Even worse, you might miss critical information. In a real risk analysis, one of the first steps is to meet with all department managers, upper management, employee representatives, workers in the production environment, human resources staff, and other staff members to get their input. Such a meeting is not possible in this situation, so direct any questions to your instructor or do independent research to find your answers. In this project, you conduct a risk assessment and analysis of a small e-commerce business. You decide what product or service the business sells over the Internet. Use the following files provided by your instructor: ? Facilities diagram ? Network diagram ? Asset identification worksheet ? Business process identification worksheet ? Threat identification and assessment worksheet ? Threat mitigation worksheet 1. Give your company a name. 2. Identify the business processes that must continue for the organization to keep functioning—for example, collecting money from customers, receiving and processing sales, and developing new products. List major business processes that drive your company in the Business Process column of the business process identification worksheet. (Use your imagination and common sense to complete this step.) Assign a priority level to each process using the priority rankings in the following list. Write down the department that performs the process. Leave the Assets Used column blank for now. ? Critical—Absolutely necessary for business operations to continue. Loss of a critical process halts business activities. ? Necessary—Contributes to smooth, efficient operations. Loss of a necessary process doesn’t halt business operations but degrades working conditions, slows production, or contributes to errors. ? Desirable—Contributes to enhanced performance and productivity and helps create a more comfortable working environment, but loss of a desirable process doesn’t halt or hurt operations. 3. Identify the organization’s assets. Using the asset identification worksheet, list each asset, its location, and its approximate value, if known. For multiple identical assets, describe the asset and list the quantity instead of listing each asset. In organization-wide risk assessments, you would list all assets, including office furniture, industrial equipment, personnel, and other assets. For this project, stick to IT assets, such as computers, servers, and networking equipment. List all the equipment needed to build your network as well as any cabling in the facility. Assume that the facility is already wired for a computer network and has network drops for each computer. Remember to list items such as electricity and your Internet connection. 4. Next, determine which assets support each business process. On your business process identification worksheet, list the assets needed for each business process in the Assets Used column. 5. Document each process and assign a priority to it. Next, transfer the priority rankings to your asset identification worksheet. Now you know which assets are the most critical to restore and warrant the most expense and effort to secure. You also have the documentation to justify your security actions for each item. 6. Next, assess existing threats. Table 13-7 shows examples of evaluating types of threats and suggests ways to quantify them. On the threat identification and assessment worksheet, list each possible threat. Be sure to consider threats from geographic and physical factors, personnel, malicious attacks or sabotage, and accidents. Also, examine the facilities diagram for flaws in the facility layout or structure that could pose a threat, such as an air-conditioning failure or loss of electrical service. For each threat, assess the probability of occurrence (POC) on a scale of 1 to 10, where 10 represents the highest probability. Enter the ratings in the POC column for each threat. 7. Using the asset identification worksheet, determine which assets would be affected by each threat. List those assets in the Assets Affected column of the threat identification and assessment worksheet. For an electrical outage, for example, list all assets that require electricity to operate. For hardware failure, list all assets that a hardware failure would disrupt, damage, or destroy. 8. In the Consequence column, enter the consequences of the threat occurring. Use the following designations: ? Catastrophic (C)—Total loss of business processes or functions for one week or more; potential complete failure of business ? Severe (S)—Business would be unable to continue functioning for 24 to 48 hours; loss of revenue, damage to reputation or confidence, reduction of productivity, complete loss of critical data or systems ? Moderate (M)—Business could continue after an interruption of no more than four hours; some loss of productivity and damage or destruction of important information or systems ? Insignificant (I)—Business could continue functioning without interruption; some cost incurred for repairs or recovery; minor equipment or facility damage; minor productivity loss and little or no loss of important data 9. Rate the severity of each threat in the Severity column. Use the same designations as in Step 8 (C, S, M, or I). You derive these ratings by combining the probability of occurrence, the asset’s priority ranking, and the potential consequences of a threat occurring. For example, if an asset has a Critical (C) priority ranking and a Catastrophic (C) consequence rating, it has a Catastrophic (C) severity rating. If you have mixed or contradictory ratings, you need to reevaluate the asset and use common sense to determine the severity rating. A terrorist attack that destroys the facility might have a POC of 1, depending on your location, but the consequences would definitely be catastrophic. Even so, because of the low POC, you wouldn’t necessarily rank its severity as catastrophic. 10. On the threat mitigation worksheet, list assets that are ranked as the most critical and are threatened with the highest severity. In the Mitigation Techniques column, list recommendations for mitigating threats to those assets. For example, to mitigate the threat of an electrical outage damaging a critical server, you might suggest a high-end UPS.