III: See attached | Information Systems

See attached III.docx The purpose of the PowerPoint presentation is to show threats, vulnerabilities, and recommendations in an affinity diagram. An example of this diagram is provided in your textbook in Chapter 4. As a risk management project manager, you must identify the threats, vulnerabilities, and recommendations for ABC IT Organization's application database server. The following must be provided with speaker notes in the notes section of each slide. 1. Title Slide 2. Threat Slide 3. Vulnerability Slide 4. Recommendation Slide 5. Reference Slide Your presentation must be at least five slides in length. Slides two, three, and four must contain at least one graphic (picture, photograph, graph). Your slides must contain speaker notes. You are required to use at least three resources in your presentation, one of which must be your textbook and one must be from the CSU Online Library. Your reference slide and in-text citations must be in APA style TEXTBOOK: Gibson, D., & Igonor, A. (2022). Managing risk in information systems (3rd ed.). Jones & Bartlett Learning. https://online.vitalsource.com/#/books/9781284193633 UnitIII2.pdf SEC 4301, IS Disaster Recovery 1 Course Learning Outcomes for Unit III Upon completion of this unit, students should be able to: 2. Develop an asset ranking report. 2.1 Process the five performance areas before evaluating the risk assessment. 3. Analyze an impact assessment for organization threat analysis. 3.1 Calculate which method of qualitative or quantitative that impacts critical asset(s). 3.2 Investigate the critical steps for major components for successful risk assessment impacts. Required Unit Resources Chapter 5: Defining Risk Assessment Approaches Chapter 6: Performing a Risk Assessment Unit Lesson Risk Assessment Explained You may have seen the movie or have been fortunate to see the stage play Cabaret; if not, you may have at least heard the song “Money Makes the World Go Round” sung by Liza Minnelli and Joel Grey. This analogy is about the importance of money to businesses; if the world stopped so would the cash flow. Businesses must allocate money for security funding; part of that funding or budget must address risk assessments. Without this funding, there will be no risk assessment, and the business will be subjugated to vulnerabilities that will plague the business to failure. Management must provide the best balance between the profitability of business and the survivability of risks that can harm the business. According to Gibson (2015), risk assessment is risk analysis and is responsible for identifying and evaluating risks. The risks are prioritized by management as acknowledged in the risk management program. Below are brief attributes of risk assessments. • Time: Risk assessment is dependent on time during its creation. • Monitoring: Continual monitoring of the risk management program is needed. • Controls: Safeguards effect the risk assessment (Gibson, 2015). The purpose for risk assessment is to provide management the tools to evaluate and identify controls that support the decision-making process and to assess the effectiveness of the controls (Gibson, 2015). The steps below assist management in the evaluation and identification of the risk assessment. UNIT III STUDY GUIDE Risk Assessment Concepts SEC 4301, IS Disaster Recovery 2 UNIT x STUDY GUIDE Title Figure 3.1: Five steps to identify risk assessment (Adapted from Gibson, 2015, p. 115) Critical Components Triad The above steps allow management to effectively classify the risks and control the types of threats and vulnerabilities encountered from these risks. There are three critical steps that help identify the major components that influence the successful impact of risk assessment. These steps are illustrated in Figure 3.2. In the previous unit, the scope was identified as a product or project within project management. Therefore, as a product, risk assessment scope examines what assets of the information technology infrastructure might be impacted by the threats and vulnerabilities. The scope could be one or more of the seven domains; that was covered in Unit I of this course. For instance, the System/Application Domain, as shown in Figure 3.3 below, illustrates the scope’s boundary for the risk assessment. Figure 3.2: Risk Assessment Triad (Gibson, 2015) SEC 4301, IS Disaster Recovery 3 UNIT x STUDY GUIDE Title Figure 3.4 shows the critical components that need to be identified as risk assessment impact areas for the scope. The products involved as shown in Figure 3.3 are firewalls, mainframe computer, and application and Web servers. Each of these components will need to have the single point of failure identified that is hardware in nature, software code attacks, and any controls associated with the hardware setup of each component. Figure 3.3: System/Application Domain (Gibson, 2015, p. 7) Team members from the risk assessment project must be fluent in information technology (IT) operations of the seven domains and are not part of the mitigating team or group that corrects the deficiencies that are found in the scope area. This eliminates the team members from a conflict of interest when mitigating the deficiencies. Qualitative or Quantitative Methods During the risk assessment process there are two methodologies of quantifying risks; these methods are qualitative and quantitative. Below are the differences between the two methodologies. • Qualitative: This involves subjective methodology and acts on categorical variables such as low, medium, or high, to express the possibility of risk impacts for management decision-making. Identifying the risk level is done through probability or impact opinion statements from experts (Gibson, 2015). • Quantitative: This objective methodology uses specific data, such as mathematical calculations, to arrive at a numerical decision-making process. Such formulas include single loss expectancy, annual loss expectancy, annual rate of occurrence, or safeguard values (Gibson, 2015). Challenges to Risk Assessment There are many challenges to risks, and rightly so, as each risk is dependent on the assessment type selected by management as well as the methodologies mentioned above. Such challenges are mention below: • static process technique for moving target(s), • data and resource availability, • data accuracy, • effects of impact through estimation, and • useful results that assist risk acceptance and resource allocation (Gibson, 2015). SEC 4301, IS Disaster Recovery 4 UNIT x STUDY GUIDE Title Describing the Assessment With the understanding of risk assessment and which methodology to use, we can move forward in identifying the IT asset through two primary areas in classifying the systems or processes. Therefore, if we look at Figure 3.3 System/Application Domain above, we see an application and Web server. Take the Web server for example; everyone in a typical organization will have access to the Web server. However, what type of access is granted to employees? The system administrator needs to know how the Web server operates and is configured in order to provide proper allocation of resources to the employees. This is important, as certain employees will need access to websites for purchasing equipment for the organization while others do not. Human resource (HR) employees will need full access rights to the organization’s employee website, but restricted access is given to other employees to just view their own information. Therefore, two primary focuses for any asset are operational characteristics and the mission of the system (Gibson, 2015). Identifying and Evaluating Risk Assessment Before performing the risk assessment, there are five performance areas that must be considered. These areas are illustrated in Figure 3.4 below. Figure 3.4: Performance Processes (Gibson, 2015) Management needs to assign ownership of the different areas of assets within the organizational IT infrastructure. Such ownership allows the ease of mitigating the risks when it is time to implement the risk recommendations to the assets (Gibson, 2015). Examples of ownership to IT assets are network devices, different servers (email, database, Web), user and computer management, and configuration/change management. The assignment of ownership will make it easier to stay within the risk assessment scope for the organizational assets. Information technology assets within an organization will depreciate over time. Therefore, it is imperative that critical assets be identified to be replaced since these assets will be the number one priority for risk management. The replacement cost or upgrade of the depreciated asset is known as asset valuation. The value of the asset is rated by two different viewpoints as indicated below. • Replacement value is the direct cost of replacing the asset in its entirety. • Recovery value costs involve parts that need to be replaced due to failure within the asset. Examples are cooling fans, hard drives, and input devices (Gibson, 2015). Previously, we identified threats to be any individual or software codes that can cause harm to the IT infrastructure to damage or endanger devices and/or people (Gibson, 2015). Consequently, identifying the SEC 4301, IS Disaster Recovery 5 UNIT x STUDY GUIDE Title threats is the necessary process of the threat assessment plan. Figure 3.5 below illustrates the threat attack sequence in the path for loss of impact of an asset. Figure 3.5: Threat Cycle (Adapted from Gibson, 2015, p. 149) Reviewing the organization’s historical data as well as threat modeling will ensure all threats have been identified and evaluated in the risk assessment (Gibson, 2015). Remember, vulnerabilities are the degree to which people or systems are susceptible to impairment or incompatibility of IT assets as identified in Unit II. As such, all IT assets have a variety of vulnerabilities that can affect the operation of the asset; not all vulnerabilities can cause undue harm to the assets (Gibson, 2015). Discovering a weakness in the IT asset is known as a vulnerability assessment. Gathering information about the vulnerability assessment is important. Vulnerability tools such as Retina, Nmap, and Nessus are used to scan the network of an organization for vulnerabilities. Safeguarding controls or providing security enhancements to controls are countermeasures used to prevent or reduce the threats and vulnerability attacks from hackers. Controls that affect the countermeasures are either in-place controls, meaning these controls are already part of the asset, or system or planned controls, which have an implementation date for those controls to be activated (Gibson, 2015). There are three types or categories that affect the controls that are either in-place or planned controls. These control categories are represented in Figure 3.6. SEC 4301, IS Disaster Recovery 6 UNIT x STUDY GUIDE Title Figure 3.6: Safeguard Controls (Gibson, 2015) • Procedural controls are based on certain rules and procedures that are governed by the management in the organization. • Technical controls are automatic controls that are the highpoint for safeguarding controls by computer and/or software applications that protect the systems and provide constant protection. • Physical controls, as stated, are physical in nature including locks, gates, security guards, closed- circuit TV cameras, fire suppression systems, and any hardware equipment used to control the physical environment for the organization (Gibson, 2015). Summary Once all the risk assessments have been identified, the risk management coordinator will decide which methodology to implement. The choice of methods of either qualitative or quantitative, as explain earlier in this unit, would be used to determine the assessment needs. Again, this depends on costs of the assets. If you have a cost figure, then quantitative method would be used; if there is no arbitrary cost on the asset, then the qualitative method will be employed. Information derived from the risk assessment will then be used to formulate how risks are to be mitigated and to determine best practices for performing the risk assessments. Reference Gibson, D. (2015). Managing risk in information systems (2nd ed.). Jones and Bartlett Learning. https://online.vitalsource.com/#/books/9781284107753 Suggested Unit Resources In order to access the following resources, click the links below. The following presentations will summarize and reinforce the information from Chapters 5 and 6 in your textbook. Chapter 5 PowerPoint Presentation PDF Version of Chapter 5 PowerPoint Presentation Chapter 6 PowerPoint Presentation PDF Version of Chapter 6 PowerPoint Presentation https://online.columbiasouthern.edu/bbcswebdav/xid-145286817_1 https://online.columbiasouthern.edu/bbcswebdav/xid-145286816_1 https://online.columbiasouthern.edu/bbcswebdav/xid-145286820_1 https://online.columbiasouthern.edu/bbcswebdav/xid-145286819_1 SEC 4301, IS Disaster Recovery 7 UNIT x STUDY GUIDE Title Learning Activities (Nongraded) Nongraded Learning Activities are provided to aid students in their course of study. You do not have to submit them. If you have questions, contact your instructor for further guidance and information. The following learning activities provide additional information that will assist you with the mastery of the learning objectives for this unit. Go to the CSU Online Library, and use the Discovery Search feature. Utilize the Discovery Search feature in the CSU Online Library, and type in the following phrases: “annual loss expectancy, qualitative risk, quantitative risk, risk safeguards, single point of failure, risk assessment threats.” Select and read two articles. Use the criteria of peer-reviewed article (scholarly) and less than five years old. Here is a link straight to the CSU Online Library Discovery Search. The internet can provide you with a wealth of information concerning the topics in this unit. For example, the following video is from CSU Films on Demand database and provides additional information about risk assessment. Skillbank Solutions Ltd (Producer). (1999). Risk assessment (Segment 6 of 7) [Video]. In Computer Security. Films on Demand. https://libraryresources.columbiasouthern.edu/login?auth=CAS&url=http://fod.infobase.com/PortalPla ylists.aspx?wID=273866&xtid=11727&loid=14503 The transcript for this video can be found by clicking the “Transcript” tab to the right of the video in the Films on Demand database. Check Your Knowledge These questions will help you assess whether or not you have mastered the unit content. Can you answer them without looking in the textbook? • Answer the Chapter 5 Assessment questions at the end of Chapter 5 in your textbook. After you have answered the questions, you can find out how well you did by viewing the Chapter 5 Answer Key. • Answer the Chapter 6 Assessment questions at the end of Chapter 6 in your textbook. After you have answered the questions, you can find out how well you did by viewing the Chapter 6 Answer Key. Word Search Some of this unit’s key terms and phrases (written as one word) have been hidden in the word search puzzle. Access the Unit III Word Search puzzle, and see if you can find them. http://libguides.columbiasouthern.edu/?b=p https://libraryresources.columbiasouthern.edu/login?auth=CAS&url=http://fod.infobase.com/PortalPlaylists.aspx?wID=273866&xtid=11727&loid=14503 https://online.columbiasouthern.edu/bbcswebdav/xid-145286857_1 https://online.columbiasouthern.edu/bbcswebdav/xid-145286858_1 Course Learning Outcomes for Unit III Required Unit Resources Unit Lesson Risk Assessment Explained Critical Components Triad Qualitative or Quantitative Methods Challenges to Risk Assessment Describing the Assessment Identifying and Evaluating Risk Assessment Summary Reference Suggested Unit Resources Learning Activities (Nongraded)