Chat with us, powered by LiveChat COPY THIS DOCUMENT AND SUBMIT Create a company or business based on your skillset as a Cyb | Max paper
  


COPY THIS DOCUMENT AND SUBMIT



Create a company or business based on your skillset as a Cybersecurity Professional.
This company can be real or imaginary. The idea is for you to envision yourself running a company and understanding your assets and risks.

1. What is the name of your company?

2. What does your company do?



Perform a risk assessment of your company




3.
Identify and scope assets

The first step when performing a risk assessment is to identify the assets to be evaluated and to determine the scope of the assessment.

For example, do you want to perform an assessment on every single asset in the company, including your buildings, employees, electronic data, trade secrets, vehicles, office equipment, and so on? (Remember, an asset may not be tangible; information is just as much an asset as the server where it resides.)

To avoid getting overwhelmed, it’s usually best to limit your scope to one type of asset at a time and then conduct risk assessments on other types as time and resources allow. After picking your first target, identify what else it touches.

Let’s assume that you want to assess only the electronic data stored on your information systems. What other assets are responsible for handling and securing the data? These are things like servers, desktop PCs, firewalls, mobile devices, etc. You must include these secondary assets in the assessment, because a risk posed to these devices is also a cybersecurity risk that’s posed to your data.

Don’t forget to consider both internal and external assets. For example, is your CRM data stored on a local server, or in a cloud service? Are there persistent VPN connections to partners’ IT systems? Keep asking “what’s next in the chain?” until you exhaust the search space.

4. List 10 Assets



QUANTITATIVE RISK ASSESSMENT: Determine the value of the assets

After identifying and scoping the assets to be assessed, you must next determine their value.

This is often difficult to do because “value” includes more factors than what you paid for the physical item.

Let’s continue using the example of confidential electronic data. There are many questions to ask when determining its value:

· If you lost all your company’s data tomorrow, how much time and money would it cost to create it all from scratch again?

· How much would a competitor pay to obtain it?

· What revenue would be lost as a result of the data being compromised?

· Would there be financial or legal penalties to pay?

All of these questions can give you a general estimate of how much your company’s data is worth. In addition to using numbers and evidence to determine an asset’s value (called a quantitative risk assessment)

5. ESTIMATE ASSETS VALUE for each asset. Also explain why you give it that value.

6. What is the TOTAL VALUE OF ALL YOUR ASSETS:

QUALITATIVE RISK ASSESSMENT
Is a subjective rating to determine likelihood and impact of losing or damaging an asset.

· How would losing your data impact day-to-day operations? Could your employees even work?
How would it affect your company’s reputation?
How far would it set you back in terms of productivity?

For a Qualitative Assessment, you can use the following chart to determine the risk for a particular asset.


Asset

Server Room


Threat

Server room for a small company located in the basement. Hurricane threat from a company located in Miami, Florida.

PROBABILITY

IMPACT

Low

Medium

High

High

Medium

High

High

Medium

Low

Medium

High

Low

Low

Low

Medium

In the above example the probability and impact are both High so the qualitative risk assessments are HIGH.

7. DO AN QUANTITATIVE ASSESSMENT FOR 3 ASSETS


Asset


Threat

PROBABILITY

IMPACT

Low

Medium

High

High

Medium

High

High

Medium

Low

Medium

High

Low

Low

Low

Medium

=== PART 1 Questions to Answer in Discussion ===

· Create a Company or Business based on your skillset as Cybersecurity Professional. This company can be real or imaginary. The idea is for you to envision yourself running a company and understanding your assets and risks.

· What is the name of your company?

· What does your company do?

· Do a Quantitative Risk Assessment.
What are your company’s assets (minimum 10)?
What is the Value of your assets?

· Do a Qualitative Risk Assessment.

Choose 3 Assets and use the Assessment chart to define the asset, the threat, probability, and impact.


Asset

Laptop


Threat

Laptop gets stolen.

PROBABILITY

IMPACT

Low

Medium

High

High

Medium

High

High

Medium

Low

Medium

X

High

Low

Low

Low

Medium

Reasons: My laptop has a backup, so the impact will be medium. I can use my backup to restore information from the laptop, but I will still need to buy a new one.

The probability is medium, because I work in the field, and I don’t have a lock for my laptop.


COPY THIS DOCUMENT, PREVIOUS ANSWERS




AND SUBMIT



Create a company or business based on your skillset as a Cybersecurity Professional.
This company can be real or imaginary. The idea is for you to envision yourself running a company and understanding your assets and risks.

1. What is the name of your company?

2. What does your company do?



Perform a risk assessment of your company




3.
Identify and scope assets

The first step when performing a risk assessment is to identify the assets to be evaluated and to determine the scope of the assessment.

For example, do you want to perform an assessment on every single asset in the company, including your buildings, employees, electronic data, trade secrets, vehicles, office equipment, and so on? (Remember, an asset may not be tangible; information is just as much an asset as the server where it resides.)

To avoid getting overwhelmed, it’s usually best to limit your scope to one type of asset at a time and then conduct risk assessments on other types as time and resources allow. After picking your first target, identify what else it touches.

Let’s assume that you want to assess only the electronic data stored on your information systems. What other assets are responsible for handling and securing the data? These are things like servers, desktop PCs, firewalls, mobile devices, etc. You must include these secondary assets in the assessment, because a risk posed to these devices is also a cybersecurity risk that’s posed to your data.

Don’t forget to consider both internal and external assets. For example, is your CRM data stored on a local server, or in a cloud service? Are there persistent VPN connections to partners’ IT systems? Keep asking “what’s next in the chain?” until you exhaust the search space.

4. List 10 Assets



QUANTITATIVE RISK ASSESSMENT: Determine the value of the assets

After identifying and scoping the assets to be assessed, you must next determine their value.

This is often difficult to do because “value” includes more factors than what you paid for the physical item.

Let’s continue using the example of confidential electronic data. There are many questions to ask when determining its value:

· If you lost all your company’s data tomorrow, how much time and money would it cost to create it all from scratch again?

· How much would a competitor pay to obtain it?

· What revenue would be lost as a result of the data being compromised?

· Would there be financial or legal penalties to pay?

All of these questions can give you a general estimate of how much your company’s data is worth. In addition to using numbers and evidence to determine an asset’s value (called a quantitative risk assessment)

5. ESTIMATE ASSETS VALUE for each asset. Also explain why you give it that value.

6. What is the TOTAL VALUE OF ALL YOUR ASSETS:

QUALITATIVE RISK ASSESSMENT
Is a subjective rating to determine likelihood and impact of losing or damaging an asset.

· How would losing your data impact day-to-day operations? Could your employees even work?
How would it affect your company’s reputation?
How far would it set you back in terms of productivity?

For a Qualitative Assessment, you can use the following chart to determine the risk for a particular asset.


Asset

Server Room


Threat

Server room for a small company located in the basement. Hurricane threat from a company located in Miami, Florida.

PROBABILITY

IMPACT

Low

Medium

High

High

Medium

High

High

Medium

Low

Medium

High

Low

Low

Low

Medium

In the above example the probability and impact are both High so the qualitative risk assessments are HIGH.

7. DO AN QUANTITATIVE ASSESSMENT FOR 3 ASSETS


Asset


Threat

PROBABILITY

IMPACT

Low

Medium

High

High

Medium

High

High

Medium

Low

Medium

High

Low

Low

Low

Medium

=== PART 2 ===


Quantitative Assessment




A Quantitative Assessment calculates the likelihood and impact of various loss scenarios on a per-year basis

The next step is to identify cybersecurity risks: situations where the asset could be adversely affected, how likely those are to happen, and their impact if they happen. You’ll use these to calculate your Annualized Loss Expectancy – which in turn tells you how much to spend to mitigate your identified risks.

Let’s imagine that you have a warehouse containing your inventory and equipment, and that warehouse is worth $20 million based on your estimates.

If you live in a dry area that is prone to fires, you should consider the likelihood of your facility being damaged or destroyed in a fire. From the data you’ve researched in your area, you make an informed estimate that your building could be affected by a fire once every ten years. You further estimate that, in the event of a fire, half of your warehouse would be lost before the fire could be contained. This results in an estimated loss of $10 million every ten years, or in annual terms, $1 million every year.

This concept translates to every type of asset. If you’re evaluating electronic data, identify various loss scenarios such as an attacker compromising your network and destroying 25% of your data, or a system crash losing the past two weeks of sales records, or server equipment failure preventing you from generating new data for five days.

Determine how likely each scenario would be on a per-year basis (called the Annual Rate of Occurrence, where 1 equals once per year, 0.5 equals once every two years, etc.), calculate the dollar-amount loss of each instance (called the Single Loss Expectancy), and multiply the likelihood by the cost to get the Annualized Loss Expectancy, which is the amount that you can spend per year on protecting against this situation.

Here are the Equations in order to do the Quantitative Assessment.

Asset Value x Exposure Factor = Single Loss Expectancy

100,000 Bars of Ice cream

$1 Per Bar of Ice Cream

25%

Single loss Expectancy = $25,000

Asset Value: Total Value of the asset, this can be determined by cost to replace.

Exposure Factor: Expected % of damage an asset will have if affected by threat.

Single Loss Expectancy: Expected loss if risk occurs at one time

1. Take the 3 assets / risks and calculate the
Single Loss Expectancy

Consider and explain your exposure factor.

Single Loss Expectancy x Annualized Rate of Occurrence = Annualized Loss Expectancy

SLE = $100,000 Hard Drives
ARO = 8%

ALE = $8,000

Single Loss Expectancy: Expected loss if risk occurs at one time

Annualized Rate of Occurrence: Number of times a risk is expected to occur in a year. For example if it floods every year, the ARO=1.
If it floods every 2 years the ARO = .5
If it floods every 3 years the ARO = .33

Annualized Loss Expectancy: Expected dollar loss from a risk any given year. This can be thought of as the average of what the value of the risk spread over time. Some assets are going to fail, like a hard drive, so this ALO is a good indicator of should be allotted financially to cover the asset.

2. Take 3 assets / risks and calculate the Annualized Loss Expectancy



Weigh cost of prevention against value of asset

You’ve now determined how much your asset is worth and how much it costs to protect it. This step is simple: If it costs more to protect the asset than it’s worth, it doesn’t make sense to use that control or prevention method.

To continue with the warehouse example, there are several ways to mitigate or transfer the risk of losing your asset: You could install fire suppression systems, use fire-resistant building materials, or purchase insurance to recover the cost of the damage. You now know that it doesn’t make financial sense to spend more than $1 million per year on reducing the risk of fire to your warehouse, because any higher than that, and you’d be spending more protecting the asset than it is worth.

3. Take 3 assets / risks. Explain how protect against loss, and what would be the cost.

Compare this against the single loss expectancy and annualized loss expectancy. Is it worth it for the company to invest in protecting the asset.

error: Content is protected !!