Risk Assessment Case Study


Chief Information Security Officer-Level Risk Assessment The objective of this work in writing is to examine Chief Information Security Officer-Level Risk Assessment. Specifically, the scenario in this study is securing information for the local Emergency Management Agency in an Alabama County. The Director of Emergency Management in this County has tasked the Chief Information Security Officer with setting out a plan for information security of the Department's networking and computing systems.

Information Security Management involves the "identification of an organization's assets and the development, documentation, and implementation to policies, standards, procedures, and guidelines, which ensure their availability, integrity, and confidentiality." (Official ISC Guide to the CISSP Exam, nd) Threats are identified, assets classified and security controls implemented through use of "data classification, security awareness training, risk assessment, and risk analysis and as well their vulnerabilities are rated. (Official ISC Guide to the CISSP Exam, nd)

Risk management involves the "identification, measurement, control, and minimization of loss associated with uncertain events or risks." (Official ISC Guide to the CISSP Exam, nd) Included are over-all security reviews, risk analysis, evaluation, and selection of safeguards, cost/benefit analysis, management decisions, safeguard implementation, and effectiveness reviews." (Official ISC Guide to the CISSP Exam, nd)

I. Security Plans and Implementation

It is important that the CISSP understand the following:

(1) The planning, organization, and roles of individuals in identifying and securing an organization's information assets;

(2) The development of effective employment agreements; employee hiring practices, including background checks and job descriptions; security clearances; separation of duties and responsibilities; job rotation; and termination practices

(3) The development and use of policies stating management's views and position on particular topics and the use of guidelines, standards, baselines, and procedures to support those policies;

(4) The differences between policies, guidelines, standards, baselines, and procedures in terms of their application to information security management;

(5) The importance of security awareness training to make employees aware of the need for information security, its signi-cance, and the speci-c security-related requirements relative to the employees' positions;

(6) The importance of data classi-cation, including sensitive, con-dential, proprietary, private, and critical information;

(7) The importance of risk management practices and tools to identify, rate, and reduce the risk to speci-c information assets, such as:

(a) Asset identi-cation and evaluation

(b) Threat identi-cation and assessment

(c) Vulnerability and exposures identi-cation and assessment

(d) Calculation of single occurrence loss and annual loss expectancy

(e) Safeguards and countermeasure identi-cation and evaluation, including risk management practices and tools to identify, rate, and reduce the risk to speci-c information assets

(f) Calculation of the resulting annual loss expectancy and residual risk

(g) Communication of the residual risk to be assigned (i.e., insured against) or accepted by management

(h) The regulatory and ethical requirements to protect individuals from substantial harm, embarrassment, or inconvenience, due to the inappropriate collection, storage, or dissemination of personal information

(i) The principles and controls that protect data against compromise or inadvertent disclosure

(j) The principles and controls that ensure the logical correctness of an information system; the consistency of data structures; and the accuracy, precision, and completeness of the data stored

(k) The principles and controls that ensure that a computer resource will be available to authorized users when they need it

(l) The purpose of and process used for reviewing system records, event logs, and activities

(m) The importance of managing change and the change control process

(n) The application of commonly accepted best practices for system security administration, including the concepts of least privilege, separation of duties, job rotation, monitoring, and incident response

(o) The internal control standards reduce that risk; they are required to satisfy obligations with respect to the law, safeguard the organization's assets, and account for the accurate revenue and expense tracking;

(p) there are three categories of internal control standards -- general standards, speci-c standards, and audit resolution standards: (i) General standards must provide reasonable assurance, support the internal controls, provide for competent personnel, and assist in establishing control objectives and techniques (Official ISC Guide to the CISSP Exam, nd) (ii) Speci-c standards must be documented, clear, and available to personnel; they allow for the prompt recording of transactions, and the prompt execution of authorized transactions; speci-c standards establish separation of duties, quali-ed supervision, and accountability (Official ISC Guide to the CISSP Exam, nd) and (iii) Audit resolution standards require that managers...


(Official ISC Guide to the CISSP Exam, nd)
II. Risk Assessment

In the event that the Emergency Management Agency in the county at issue in this scenario is required to respond to a severe weather event, it is likely that the network and computing system of the agency will be using backup or generator power to run the system should the electrical power be knocked out during a severe weather event. The Information Security Manager is required to "establish and maintain a security program that ensures the "availability, integrity, and confidentiality of the organization's information resources. Availability is reported to be the assurance "that a computer system is accessible by authorized users whenever needed." (Official ISC Guide to the CISSP Exam, nd)

There are two aspects of availability including: (1) denial of service; and (2) loss of processing capabilities as a result of natural disasters, or human actions. (Official ISC Guide to the CISSP Exam, nd) Denial of service relates to user or intruder actions that result in computing services being tied up resulting in the system being unable to be utilized by users who are authorized to use the system. (Official ISC Guide to the CISSP Exam, nd, paraphrased)

III. Contingency Planning

Contingency planning is reported to involve: (1) business resumption planning; (2) alternative-site processing; or (3) simple disaster recovery planning results in another method of processing so that availability is ensured. (Official ISC Guide to the CISSP Exam, nd, paraphrased) Important aspects of security considerations are: (1) physical; (2) technical; and (3) administrative controls. (Official ISC Guide to the CISSP Exam, nd)

Physical controls include unauthorized persons coming into contact with computing resources and include "fault-tolerance mechanisms and access control software to prevent unauthorized users from disrupting services." (Official ISC Guide to the CISSP Exam, nd) Physical controls are those set in place to prevent individuals who are not authorized to come in contact with resources including computing resources, fire and water controls, as well as processing and off-site backup facilities used for storage. (Official ISC Guide to the CISSP Exam, nd, paraphrased)

Technical controls are reported to be inclusive of fault-tolerance mechanisms as well as electronic vaulting and access control software so that users that are not authorized are unable to disrupt services. Administrative controls include "access control policies, operating procedures, contingency planning, and user training." (Official ISC Guide to the CISSP Exam, nd) It is important that operators, programmers, and security personnel are trained so that they can assist in the avoidance of computing errors causing availability loss.

Integrity is reported as the "protection of system information or processes from intentional or accidental unauthorized changes." (Official ISC Guide to the CISSP Exam, nd) While the security program in place is unable to ensure or improve the data accuracy in terms of that which is input into the system, it is such that can assist in making sure that changes are intended and that intended changes are effectively applied to the system. There are three basic principles to the establishment of integrity controls including:

(1) Granting access on a need-to-know basis;

(2) Separation of duties; and (3) Rotation of duties. (Official ISC Guide to the CISSP Exam, nd)

The 'need-to-know' access principle is that users should be only granted access to files and programs that are required for the users to effectively perform their assigned tasks. The access of users to production data and programs should be restricted "through use of well-formed transactions" that serve to ensure that "users can change data or programs only in controlled ways that maintain integrity." (Official ISC Guide to the CISSP Exam, nd)

Separation of duties ensures that no one employee has control of a transaction "from beginning to end" and that at least two individuals or more are responsible for performing the transaction. Rotation of duties involves changing job assignments on a periodical basis so that users are not able to gain complete control of a transaction collaboratively subverting it for some fraudulent reason.

IV. Confidentiality

Confidentiality protects the system information barring users that are not authorized as well as barring resources and processes from information access. It is reported "Con-dentiality must be well de-ned, and procedures for maintaining con-dentiality must be carefully implemented. Crucial aspects of con-dentiality are user identi-cation, authentication, and authorization." (Official ISC Guide to the CISSP Exam, nd)

Threats to confidentiality are stated to be inclusive of the following threats:

(1) Hackers. A hacker or cracker is someone who bypasses the system's access controls by taking advantage of security weaknesses that the system's developers have left in the system. In addition, many hackers are adept at discovering the passwords of authorized users who choose passwords that are easy to guess or appear in dictionaries. The activities of hackers represent serious threats to the con-dentiality of information in computer systems. Many…

Cite this Document:

"Risk Assessment" (2012, December 09) Retrieved February 29, 2024, from

"Risk Assessment" 09 December 2012. Web.29 February. 2024. <

"Risk Assessment", 09 December 2012, Accessed.29 February. 2024,

Related Documents

Risk Assessment is an integral aspect on any business irrespective of industry. Every business has some form of inherent risk embedded within its underlying business operations. This risk, through proper assessment can be minimized and practically prevented under certain conditions. Through proper risk assessments, businesses can abate the influences of danger that ultimately erodes both profitability, and reputation. In addition, risk assessments allow the company to reduce the prevalence of

As the percentage of older Americans continues to increase, the need for timely and accurate assessment screens and the formulation of effective clinical interventions will become even more pronounced. Fortunately, the research also showed that there are a number of assessment tools that are available to facilitate the process, including sophisticated multifactor instruments with proven validity and reliability. One of the more important issues to emerge from the research

Functional description The Public Health Informatics and Technology Program's IT system was developed by the Office of Surveillance, Epidemiology, and Laboratory Services (OSELS).The CDC division response for its deployment and maintenance is the Division of Informatics Research and Development (DIRD) whose role is to advance the frontiers of public health informatics by means of appropriate research and development. The DIRD division is to collaborate with the other members of the CDC

Risk Assessment Program

Risk Assessment Program Over the last several years, many small and medium sized businesses have been turning to cloud computing as a way of storing, retrieving and accessing vital information. This is when a third party provider will offer firms with these services at a fraction of the cost of traditional IT departments. Moreover, there is unlimited storage capacity and firms can readily protect themselves against vulnerabilities at a particular site.

Man-made risks are significant, and include fire and pollution. Fire can occur in residential, commercial, or wildland form. Fire occurs as a result of human error at home or in the workplace. Wildland fires can start as a result of unsupervised campfires burning matches or live cigarettes (El Dorado Hills Fire Dept, 2010). Because the rainfall per year for the area is fairly low, wildland fires are a significant risk.

Risk Assessment for GFI Group, Inc. (GFI) RISK ASSESSMENT Company Network, Interconnection, and Communication Environment When it comes to the company network, GFI Group, Inc. (GFI) operates as a dealer brokerage company, which was discovered in the U.S. It is in network with over the counter (OTC) related securities and derivative products. The company mostly offers market data brokerage services, and analytics software merchandises to commercial and investment banks, insurance corporations, large businesses