CSIS 344CASE STUDY TEMPLATE
Risk Assessment
Your Name:
Name of Organization(s):
Executive Summary:
Bibliography:
Page 1 of 7
Asset Identification
•
Asset ID – one up number [1, 2, 3, etc.]
•
Asset Name – brief descriptive title
•
Asset Category – categorize the various assets as they are identified [i.e. hardware, software, data, intellectual property,
branding, etc]
•
Description – how the information asset is stored, processed and/or transmitted by the system
•
Classification – value of this asset to the overall system in terms of confidentiality, integrity, and availability
5 = critical value to 1= limited value
Asset
ID
Asset Name
Category
Description
Classification
Threat Assessment
Asset
ID
•
Threat ID – one up number [1, 2, 3, etc.]
A particular Threat should only be listed once but can be applied to numerous Assets.
•
Description — threat(s) against each asset as the information enters the system, is processed/stored by and departs the system.
Threat
ID
Description
Control Assessment
•
Control ID – one up number [1, 2, 3, etc.]
A particular Control should only be listed once, but can be applied to numerous Threats.
•
% Probability — The likelihood (expressed as a percentage) of the threat occurring.
•
Control Categories – A, T, P
Administrative, Technical, Physical
•
Control Type – P, D, Cr, Cm
Preventative, Detective, Corrective, Compensatory
•
Description — A description of any existing controls that impact threat occurrence.
Threat Control
%
Category
ID
ID
Probability
Type
Description
Business Impact Analysis
Use the range 100 = critical impact to 1= limited impact for all categories of impact.
•
Confidentiality Impact – effect if the information asset is revealed to an unauthorized person
•
Integrity Impact – effect if the information asset is modified in an unauthorized manner
•
Availability Impact – effect if the information asset is not accessible when needed
•
Overall Impact — effect if the information asset suffers a breach of confidentiality, integrity, and/or availability
– above this table describe the method you used to translate the three CIA impacts into an Overall impact.
•
Asset
ID
Description– describe the overall impact of a breach of confidentially, integrity, and/or availability
Confidentiality
Impact
Integrity
Impact
Availability Overall
Impact
Impact
Overall Impact Description
Risk Matrix
Risk level = Threat Probability * Overall Impact
100 = critical risk to 0 = no risk
Risk Category: S, F Rp, O, P, Rg
•
•
•
•
•
•
Strategic risk relates to adverse business decisions.
Financial (or investment) risk relates to monetary loss.
Reputational risk relates to negative public opinion.
Operational risk relates to loss resulting from inadequate or failed processes or systems.
Personnel risk relates to issues that affect morale, productivity, recruiting, and retention.
Regulatory/compliance risk relates to violations of laws, rules, regulations, or policy
Asset Threat
Threat
Overall
ID
ID
Probability Impact
Risk Level
Risk Category
Risk Management
Asset
ID
•
Mitigation – A, E, R, T
Acceptance, Elimination, Reduction, Transfer of the risk
•
Describe how the control would be implemented to mitigate the threat to each asset
Threat
ID
Control
ID
Mitigation
Control Implementation Description
CSIS 344
CASE STUDY ASSIGNMENT INSTRUCTIONS
OVERVIEW
For the case study, you will conduct a quantitative risk assessment for an organization of your
choice. The paper will report the result of the quantitative risk assessment in support of
implementing an Information Security program or improving the program the organization
already has in place.
INSTRUCTIONS
For this assignment, you will use the Case Study Template which can be found on the Case
Study Assignment page. You will write a research-based paper of at least 1,000 words in
current APA format. The research-based paper must include at least 5 references in addition to
the course textbooks and the Bible. The information from the Case Study Assignment must be
incorporated into the Research Paper: Final Assignment. Follow the directions below when
completing the Case Study Template.
Organization to be assessed
This section will provide an Executive Summary with a minimum of 300 words in length, to
describe the type of organization, the geographic location of its headquarters or primary business
location, the size of the organization in employee numbers and business volume as expressed by
sales or revenue, any relevant regulatory compliance oversight involved, and any products or
services key to organization success.
An assigned organization case study environment will be used for the Risk Assessment. If a
specific organization is assigned, the case study of a specific organization may be used,
otherwise a composite of resources can be used, to provide the background for this project.
If a single organization is assessed, give its’ name and if multiple organizations are researched
say “Composite” and list the organizations included as part of the Executive Summary.
In the bibliography, place an active link, in proper APA formatting, for all research resources
used in this case study.
Risk Assessment Steps
Asset Identification – All the information stored, processed or transmitted by the system must
be identified, listed, and described. Each asset must be classified (in terms of confidentiality,
integrity, and availability) according to its value to the organization.
Regardless of the size of an assigned organization, 20 assets would be considered a minimum
number of assets.
Threat Assessment – The threat(s) on each asset must be identified, listed, and described. Each
threat should be mentioned once in the list and mapped to multiple assets if necessary.
Page 1 of 2
CSIS 344
For an enterprise class organization (examples: Liberty University, Target, etc.,) a minimum of
40 threats would be considered a minimum number of threats.
Control Assessment – The likelihood of the threat’s occurrence (in terms of any security
controls already in place) will be expressed as a percentage.
Business Impact Analysis – Determine the possible impact to the organization, based on the
business need for Confidentiality, Integrity and Availability.
Risk Matrix – Calculate the risk exposure of each information asset using the formula risk =
probability * impact.
Risk Management – As much as possible alleviate the risks by implementing controls to accept,
transfer, eliminate or mitigate the risks.
Assumptions
If you need to add something to the methodology [for example – how to translate the CIA
impacts into the Overall Impact] decide how you will proceed and simply document your
approach at the beginning of each table.
Page 2 of 2
