Risk assessment program design and implementation

Risk Assessment Program

Over the last several years, many small and medium sized businesses have been turning to cloud computing as a way of storing, retrieving and accessing vital information. This is when a third party provider will offer firms with these services at a fraction of the cost of traditional IT departments. Moreover, there is unlimited storage capacity and firms can readily protect themselves against vulnerabilities at a particular site. These benefits are leading to nearly 60% of all corporations using this to reduce expenses and improve productivity. The results are that more firms are realizing higher profit margins from effectively outsourcing these functions. (Hashizume, 2013) (Kouns, 2011) (Panda, 2013)

However, the use of third party providers is also very risky. This is because they are leaving their most sensitive data with third party organizations. That may not understand the needs of the company or incorporate proper security protocols. The impact is that these firms could have their data stolen without knowing what is happening until it is too late. This is from these organizations placing too much trust in third party providers. (Hashizume, 2013) (Kouns, 2011) (Panda, 2013)

As a result, these capabilities will vary from one organization to the next. In the case of Data Mart, the firm is focused on providing customers with the latest solutions to understand and troubleshoot security issues. This is accomplished by utilizing the OCTAVE Allegro protocol. The Operationally Critical Threat, Asset and Vulnerability Evaluation (i.e. OCTAVE) is focused on reducing the hazards impacting an organization. It is taking a process driven approach by identifying, managing and prioritizing risks. (Hashizume, 2013) (Kouns, 2011) (Panda, 2013)

This is achieved through concentrating on a number of areas. The most notable include:

Developing qualitative risk evaluation procedures based upon the operational risks.

Identifying key assets and resources that are vital to the success of the mission and the organization.

Determining vulnerabilities and threats to key assets.

Evaluating potential adverse consequences to the organization (if these threats are realized).

Implement corrective action to reduce risks and create strategies which are embracing practice protection principles.

These different elements are showing how this approach is designed to mitigate and address any kind of threats early. This helps organizations to understand what is happening, identify the threat and respond prior to any kind of breaches. When this happens, the odds decrease of the firm experiencing these kinds of incidents. (Hashizume, 2013) (Kouns, 2011) (Panda, 2013)

As far as Data Mart is concerned, this protocol is giving them an advantage in understanding and evolving with different kinds of threats. This helps them to effectively protect their clients' information utilizing the OCTAVE Allegro approach. To fully understand how this is achieved requires designing a risk assessment program for this protocol based upon international standard risks. This will be accomplished by establishing drivers, profile assets, identifying threats and discussing how they will be addressed. Together, these elements will show how the Data Mart can use the latest version of this strategy to offer their clients with greater amounts of protection. (Hashizume, 2013) (Kouns, 2011) (Panda, 2013)

Stage 1: Establish Drivers

Data Mart's primary focus is on offering customers with unique solutions that will address their IT, storage and CRM needs in a cost effective manner (using the latest technology). The impact of potential threats is from having a large number of clients. This increases the probability of them becoming the target of hackers and other organizations. If they target the company's servers enough times, there is a realistic possibility of a breach occurring. This is a high risk threat to the organization with more third party providers becoming targets for these activities. (Hashizume, 2013) (Kouns, 2011) (Panda, 2013)

There are several different qualitative factors which are used to evaluate the risk on an organization. The most notable include:

The number of clients and the size of the data which is stored. This is high threat category.

The sensitivity of the information. These areas are a medium impact to the organization.

The amount of personnel to monitor and adapt to potential changes. This is a medium rated section.

These areas are showing a set of factors which can have negative effects on the firm's business model. (Cole, 2011) (Kaeo, 2004) (McCallum, 2010)

Establish Risk Assessment Criteria

Allegro Worksheet 1

Risk Measurement Criteria -- Reputation and Customer Confidence

Impact Area

Low

Moderate

High

Reputation (Staff)

The reputation of the staff is not impacted by any kind of issues. This means that not added expenses are required to help the firm recover.

The image of the organization has been damaged. This will cost between $250 thousand to $1 million to repair.

The organization is negatively impacted by one or a series of events. This will have a negative effect on the firm and how it interacts with cliental from this damage. In this case, these issues will cost in excess of $1 million.

Customer Loss

The reputation among the firm has been minimally damaged from an incident.

The company is spending between: $250 to $1 million to repair any kind of damages. However, these costs will help the organization reach out to new cliental by effectively settling any issues.

The firm is experiencing damages in excess of $1 million. This means that costs will require a new strategy to mitigate the loss of cliental to competitors.

Other:

Reputation (Community)

The community believes the Data Mart is helping to create jobs. At the same time, they have strong outreach and volunteers through a series of public projects.

The reputation of the company has been damaged. This means that it will cost it from $250 to $1 million to deal with any issues.

The reputation in the community has been severely damaged and stakeholders are walking away. This is problematic, as there is no support for the employees, the firm or its activities. This is when regulatory pressures will increase.

Allegro Worksheet 2

Risk Measurement Criteria -- Financial

Impact Area

Low

Moderate

High

Operating Costs

Costs increase by 1.3% annually

Rising costs from 3% to 6%.

Cost is increasing in excess of 8% yearly.

Revenue Loss

Revenues are less than $150 thousand in annual revenues.

Revenue losses from $500 thousand to $1.5 million.

Revenue losses in excess of $3 million.

One-Time Financial Loss

Less than $150 thousand in onetime expenses.

Between $500 thousand to $1.5 million.

More than $3 million in losses.

Allegro Worksheet 3

Risk Measurement Criteria -- Productivity

Impact Area

Low

Moderate

High

Staff Hours

Staff hours in costs increase by less than $150 thousand annually.

Staff hour expenses increase from $200 thousand to $1 million.

Labor costs have increase by over $1 million.

Other: Customer Turnover Rate

The customer turnover rate is less than 2.0% of all cliental.

Turnover rate are between 3% and 8% annually.

Turnover rates have increased by over 10%.

Allegro Worksheet 4

Risk Measurement Criteria -- Safety and Health

Impact Area

Low

Moderate

High

Life

No significant threat to the safety / health of customers and staff.

Stakeholders are impacted but can recover within a few hours. The costs are $500 thousand.

Significant loss of customer lives at a facility. This results in costs and litigation above $2 million.

Health

There is no negative impact on health.

Stakeholders are able to recover within few days. Costs are limited to $500 thousand.

Customer and staff experience permanent damages from exposure to adverse incidents. These costs exceed $2 million

Safety

There are no effects from company procedures or equipments on cliental / staff.

Safety is slightly impacted. This is resulting in expenses of $500 thousand.

There are costs in excess of $2 million damages. At the same time, the firm is experience a loss of employees and customer.

Allegro Worksheet 5

Risk Measurement Criteria -- Fines and Legal Penalties

Impact Area

Low

Moderate

High

Fines

Fines less than $100 thousand will be assessed.

Fines are between $100 thousand and $350 thousand.

Fines are greater than $500 thousand.

Lawsuits

Lawsuits of less than $100 thousand.

Litigation ranging from $200 thousand to $1 million.

Lawsuit over $1 million.

Investigations

No investigations from government regulators and consumer watchdog organizations.

Regulators are investigating the firm as part of oversight and compliance.

Investigators are opening a case into the firm's practices based upon customer complaints.

Other:

Allegro Worksheet 6

Risk Measurement Criteria -- User Defined

Impact Area

Low

Moderate

High

Customer Relations

The clients are happy with the services they are provided.

Clients have other partners who can provide similar services. The difference are they are focusing on trying o

Clients are leaving the company and going to competitors.

Employees

Employees are happy with the firm and will do more to help the organization.

Employees have some issues. However, they believe that things are moving in the right direction.

There is tension between employees and managers. This creates conflict and has an impact on the firm's. products.

Stage 2 Profile Assets

Develop an Informative Asset Profile

Allegro Worksheet 7

Impact Area Prioritization Worksheet

Priority

Impact Areas

1

Customer Confidence

3

Fiscal

5

Production

4

Health and Safety

2

Penalties and Fines

The information that is most valuable to Data Mart is the sensitive data it is storing for its customers. The day-to-day assets that will be utilized in the process includes: computers, servers, applications and communications equipment. If any of these areas were lost, it would have a negative impact on the firm's ability to achieve its mission. As there are certain times when the data was accessed without authorization or access is interrupted. (Cole, 2011) (Kaeo, 2004) (McCallum, 2010)

Identify Information Asset Containers

Allegro Worksheet 8

Critical Information Asset Profile

(1) Critical Asset

What is the critical information asset?

(2) Rationale for Selection

Why is this information asset important to the organization?

(3) Description

What is the agreed-upon description of this information asset?

Strong Customer Relations.

This helps the company to understand and address the needs of customers.

The information contains ideas that help to build a strong relationship between the company and client.

(4) Owner(s)

Who owns this information asset?

The firm owns this information

(5) Security Requirements

What are the security requirements for this information asset?

Confidentiality

There will be a series of blocks and security protocols to ensure compliance.

These changes will make the firm more responsive to shifts in the marketplace and demand from cliental.

Stage 3: Identify Threats

Allegro Worksheet 9a

Information Asset Risk Environment Map (Technical)

Internal

Container Description

Owner(s)

1. The IT department is managed internally and is a part of the company's business model.

Managed by the firm.

1.

2. The company's network provides a direct connection of various platforms and security solutions.

Managed by the firm.

2.

3. CRM technology enables cliental to have customizable solutions for their businesses.

Managed by the firm.

3.

External

Container Description

Owner(s)

1. The Internet and electricity. This is problematic, as any kind of disruptions can impact Data Mart's ability to provide cliental with continuous uptime.

The client and the firm.

Allegro Worksheet 9b

Information Asset Risk Environment Map (Physical)

Internal

Container Description

Owner(s)

1. Backups are conducted at multiple locations. This increases the chances of breaches by having more than one version of the data available at any time.

IT staff.

2. Regularity in schedules. This makes the activities and times someone will be accessing files more predictable. These challenges could lead to unauthorized breaches during off peak times.

Managed by Data Mart and IT department.

External

Container Description

Owner(s)

1. Backups are conducted at multiple locations. This increases the chances of breaches by having more than one version of the data available at any time.

IT staff.

2.

3. Regularity in schedules. This makes the activities and times someone will be accessing files more predictable. These challenges could lead to unauthorized breaches during off peak times.

IT staff.

4.

Allegro Worksheet 9c

Information Asset Risk Environment Map (People)

Internal Personnel

Name or Role/Responsibility

Department or Unit

1. IT staff

IT

2.

3. Marketing

Marketing

4.

5. Troubleshooting challenges

Engineering

6.

7. Communicating key objectives

Upper management

External Personnel

Contractor, Vendor, Etc.

Organization

1. There are various partnerships formed to improve product offerings and prevent any downtime issues.

NA

2.

3. Third party providers will deal with HR, administration and payroll.

Manpower

4.

Identify Areas of Concern

Allegro Worksheet 10

Information Asset Risk Worksheet

Information Asset Risk

Threat

Information Asset

Customer data.

Area of Concern

The unauthorized access to customer files and data.

(1) Actor

Who would exploit the weakness?

Disgruntled current employees

(2) Means

How would the actor do it? What would they do?

Using workstation on Data Mart' internal network to launch an attack on the system.

(3) Motive

What is the actor's reason for doing it?

Wants to harm Data Mart because of issues they are having.

(4) Outcome

What would be the resulting effect on the information asset?

Disclosure

Modification

Destruction

Interruption

(5) Security Requirements

How would the information asset's security requirements be breached?

Only authorized members of the firm should be able to modify this asset.

(6) Probability

What is the likelihood that this threat scenario could occur?

High

Medium

Low

(7) Consequences

What are the consequences to the organization or the information asset owner as a result of the outcome and breach of security requirements?

(8) Severity

How severe are these consequences to the organization or asset owner by impact area?

Impact Area

Value

Score

If the intruder goes unnoticed, significant financial harm could come to the firm.

Reputation & Customer

Confidence

Low

2

Financial

High

12

Significant charges will be required to audit and redo the security protocol.

Productivity

High

9

Safety & Health

Low

5

Exposure of customer data may lead to fines and possible lawsuits.

Fines & Legal

Penalties

Med

2

User Defined

Impact Area

Relative Risk Score

30

Identify Threat Scenarios

Threat Scenario Questionnaire 1

Technical Containers

This worksheet will help you to think about scenarios that could affect your information asset on the technical containers where it resides. These scenarios may pose risks that you will need to address. Consider each scenario and circle an appropriate response. If your answer is "yes" consider whether the scenario could occur accidentally or intentionally or both.

Scenario 1:

Think about the people who work in your organization. Is there a situation in which an employee could access one or more technical containers, accidentally or intentionally, causing your information asset to be:

Disclosed to unauthorized individuals?

No

Yes

(accidentally)

Yes

(intentionally)

Modified so that it is not usable for intended purposes?

No

Yes

(accidentally)

Yes

(intentionally)

Interrupted so that it cannot be accessed for intended purposes?

No

Yes

(accidentally)

Yes

(intentionally)

Permanently destroyed or temporarily lost so that it cannot be used for intended purposes?

No

Yes

(accidentally)

Yes

(intentionally)

Scenario 2:

Think about the people who are external to your organization. This could include people who may have a legitimate business relationship with your organization or not. Is there a situation where an outsider could access one or more technical containers, accidentally or intentionally, causing your information asset to be:

Disclosed to unauthorized individuals?

No

Yes

(accidentally)

Yes

(intentionally)

Modified so that it is not usable for intended purposes?

No

Yes

(accidentally)

Yes

(intentionally)

Interrupted so that it cannot be accessed for intended purposes?

No

Yes

(accidentally)

Yes

(intentionally)

Permanently destroyed or temporarily lost so that it cannot be used for intended purposes?

No

Yes

(accidentally)

Yes

(intentionally)

Threat Scenario Questionnaire -- 2

Physical Containers

This worksheet will help you to think about scenarios that could affect your information asset on the physical containers where it resides. These scenarios may pose risks that you will need to address. Consider each scenario and circle an appropriate response. If your answer is "yes" consider whether the scenario could occur accidentally or intentionally or both.

Scenario 1:

Think about the people who work in your organization. Is there a situation in which an employee could access one or more physical containers, accidentally or intentionally, causing your information asset to be: