Project Part 2: Risk Assessment
Scenario
You are an IT security analyst working for TechWorx ReSale, Inc. a fictitious IT organization headquartered in Chicago, Illinois, and is a subsidiary of Techworx.
TechWorx ReSale primarily refurbishes old IT equipment and resales it for a profit. TechWorx ReSale has over 777 employees throughout the organization and generates $77 million USD in annual revenue. The company has two additional locations in Lawton, Oklahoma, and Augusta, Maine which support a mix of corporate operations. Each corporate facility is located near a co-location data center, where production systems are located and managed by third-party data center hosting vendors.
Company Products
TechWorx ReSale has two main products: RExchange and RPay,
RExchange is the primary source of revenue for the company. This system is where customers can shop, request, and order equipment.
RPay is a web portal used by the company’s RExchange customers to support the management of secure payments and billing. The RPay web portal, hosted at TechWorx ReSale production sites, accepts various forms of payments and interacts with credit card processing organizations.
TechWorx ReSale customers, which are individuals and commercial organizations, connect to all three of the company’s products using HTTPS connections. All customers can make payments and update their profiles using Internet-accessible HTTPS websites. No government customers and no customers from the EU or California.
Information Technology Infrastructure Overview
TechWorx ReSale operates in three production data centers that provide high availability across the company’s products. The data centers host about 500 production servers, and TechWorx ReSale maintains 1100 corporate laptops and company-issued mobile devices for its employees.
Results from recent audit and inspection:
Consider using the National Vulnerability database and/or the MITRE CVE database to assist you. (also, see pages 50-51 in your textbook)
There has not been a recent Threat assessment, but leadership is concerned with all categories of threats.
Management Request
Senior management at TechWorx ReSale has determined that the existing risk management plan for the organization is out of date and a new risk management plan must be developed. Because of the importance of risk management to the organization, senior management is committed to and supportive of the project to develop a new plan. You have been assigned to develop this new plan.
Additional threats other than those described previously may be discovered when re-evaluating the current threat landscape during the risk assessment phase.
The budget for this project has not been defined due to senior management’s desire to react to any and all material risks that are identified within the new plan. Given the company’s annual revenue, reasonable expectations can be determined
Project Part 2: Risk Assessment Plan
After creating an initial draft of the risk management plan, the next step is to create a draft of the risk assessment plan.
TechWorks Resale operates a specialty system called the Repo. The system costs $1500, research has shown these systems fail once every 3 years, the administrators are paid $100/hr and it will take two (2) administrators 2 hours to replace one of these systems. Four (4) employees use this system, and they make $50hr. These employees are completely unproductive while the system is down. Assume the exposure factor for this system is 100%.
A recent audit report identified that many servers were running MS SMB v1.0 which, as you know, is susceptible to MS17-010 Eternalblue. Additionally, they are running They are running Apache HTTP Server 2.4.49.
For this part of the project:
Review risk assessment approaches. (see week 5’s discussion for ideas). You may add sections to your report, but please ensure you include:the introduction (step 2)
Scope/Boundaries (step 3)
Risk Assessment results (step 4)
A priority list of Risks (step 5)
Summary/Conclusions (step 7)
Write an introduction to the plan explaining its purpose and importance. This is focused on the risk assessment not a repeat of the Risk management plan’s introduction.
Define the scope and boundaries for the risk assessment.Identify data center assets and activities to be assessed.
Complete a risk assessment using both qualitative and quantitative methods for a total of 4. You will come up with one risk on your own. The three other risks you must develop are based on a threat exploiting these three vulnerabilities: They are running Apache HTTP Server 2.4.49
The Repo (This is a quantitative risk based on the background information. Calculate the Annual Loss Expectancy (ALE) of the specialty server described in the background. Show your work. Identify ARO, SLE, and ALE in your calculations.
The SMBv1 vulnerability (Eternal Blue)
You will have three qualitative risks. Use Tables 5-1 and 5-2 for probability and impact. You may come up with your own probability and impact scales, but please explain.
Prioritize the four risks after completing the risk assessment. In other words, what is the order of the risks that we must deal with first to last?
Summary/Conclusions.
Complete the draft risk assessment plan detailing the information above. Risk assessment plans often include tables, but you choose the best format to present the material. Format the bulk of the plan similar to a professional business report and cite any sources you used.
Place this order or similar order and get an amazing discount. USE Discount code “GET20” for 20% discount