Assignment 5: Understand Risk Assessment

For this assignment, you will review some methods of assessing risk and take a look at the South Carolina state IT security policy guidelines for risk assessment. You will then assess the IT risks for the company or organization you identified in Assignment 1.

Background Material

One of the key tasks required when creating a security policy is to identify potential risks to the organization and assess the consequences of those risks. To understand the concept of a risk in an IT context, it is useful to review the IT Risk Strategy portion of the South Carolina Information Security Policy. In this policy, risk is defined as:

“A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other agencies, and the State.” (p.9)

Some general approaches to identifying and managing risks are described in the Risk Management portion of the state IT policy. In general, these approaches involve first identifying the risks and then determining the potential impacts that could follow from these risks. More detailed approaches to risk assessment and management include (but are not limited to):

• NIST SP 800-30 Guide for Conducting Risk Assessments
• NIST Risk Management Framework
• ISO 27001
  • NOTE: The actual ISO 27001 standard is paywalled.
• COBIT
  • NOTE: The actual COBIT documents are paywalled (notice a pattern?).
• Security Technical Implementation Guides (STIGs)

One source of risk that is important not to overlook is the impact of applicable regulations upon the organization. For example, the General Data Protection Regulation (GDPR) applies to any organization doing business in the European Union. Similarly, the California Consumer Privacy Act (CCPA) applies to any company doing business in California. Nationwide, the Health Insurance Portability and Accountability Act (HIPAA) applies to anything that might be considered a medical record.

An important additional source of risk is to consider the risk of personnel within the company. While a rogue or disgruntled employee could attempt to disrupt the organization intentionally, there are unintentional consequences to having both too many and too few employees involved in single projects within the company. On the one hand, “too many cooks in the kitchen” will tend to create endless circular discussions that produce little to no forward progress. At the other extreme, a low Bus Factor in any one area of the company creates a risk that can be realized if the small number of involved employees leave the company or become incapacitated. A low bus factor is an especially concerning risk in IT departments, since one person might be responsible for the security of multiple corporate systems.

Initial Post Requirements

Using the resources from the Background Material section as a guide, analyze possible risks that the company or organization you described in Assignment 1 faces. In analyzing these risks, consider the following:

• What are the risks?
• What regulations (if any) are applicable to this organization?
• What are the potential consequences if the risks are realized? In other words, if a threat actor manages to exploit a vulnerability considered in the risk assessment, what kind of damage could they do?

As a reminder, you must do your own writing. Use of ChatGPT or other artificial intelligence tools is NOT PERMITTED, beyond the use of the automated word completion and grammar checking that may be available in Microsoft Teams.

Completion Standards

A complete initial post for this assignment:

1. Identifies security risks applicable to the company or organization described in Assignment 1.
2. Explains the potential consequences to the organization if the risks are realized.
3. States how the risk assessment was performed, citing at least 2 sources (which may include information from the Background Material section above). Citations may be informal – a link is sufficient.

There are no word limits or targets (minimum or maximum), but try to make the post both complete and concise.

Assessment

Successful completion of this assignment satisfies the following course student learning outcome:

• SLO 1. Engage with the information systems technology professional or academic communities through superior communication, analytical, technical, and critical thinking skills.